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Abstract 


This paper presents the Timed Input/Output Automaton (TIOA) modeling frame- 
work, a basic mathematical framework to support description and analysis of timed 
systems. An important feature of this model is its support for decomposing timed 
system descriptions. In particular, the framework includes a notion of external be- 
havior for a timed I/O automaton, which captures its discrete interactions with its 
environment. The framework also defines what it means for one TIOA to implement 
another, based on an inclusion relationship between their external behavior sets, and 
defines notions of simulations, which provide sufficient conditions for demonstrating 
implementation relationships. The framework includes a composition operation for 
TIOAs, which respects external behavior, and a notion of receptiveness, which implies 
that a TIOA does not block the passage of time. 
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1 Introduction 


1.1 Overview 


Timed computing systems are systems in which desirable correctness or performance prop- 
erties of the system depend on the timing of events, not just on the order of their occur- 
rence. A typical timed system consists of computer components, which operate in discrete 
steps, and timing-related components such as physical or logical clocks, whose behavior in- 
volve continuous transformation over time. Timed systems are employed in a wide range 
of domains including communications, embedded systems, real-time operating systems, 
and automated control. Many applications involving timed systems have strong safety, 
reliability and predictability requirements, which makes it important to have methods for 
systematic design of systems and rigorous analysis of timing-dependent behavior. 


In this paper, we introduce a basic mathematical framework — the Timed Input/Output 
Automaton modeling framework — to support description and analysis of timed systems. 
A Timed I/O Automaton (TIOA) is a kind of nondeterministic, possibly infinite-state, 
state machine. The state of a TIOA is described by a valuation of state variables that are 
internal to the automaton. The state of a TIOA can change in two ways: instantaneously 
by the occurrence of a discrete transition, which is labeled by a discrete action, or according 
a trajectory, which is a function that describes the evolution of the state variables over 
intervals of time. Trajectories may be continuous or discontinuous functions. 


The TIOA framework supports decomposition of system description and analysis. A 
key to this decomposition is the rigorously-defined notion of external behavior for timed 
I/O automata. The external behavior of each TIOA is defined by a simple mathematical 
object called a trace—essentially, a sequence of actions interspersed with time-passage steps. 
Abstraction and parallel composition are other important notions for decomposition of 
system description and analysis. 


For abstraction, the framework includes notions of implementation and simulation, 
which can be used to view timed systems at multiple levels of abstraction, starting from a 
high-level version that describes required properties, and ending with a low-level version 
that describes a detailed design or implementation. In particular, the TIOA framework 
defines what it means for one TIOA, A, to implement another TIOA, 56, namely, any 
trace that can be exhibited by A is also allowed by B. In this case, A might be more 
deterministic than 6, in terms of either discrete transitions or trajectories. For instance, 
B might be allowed to perform an output action at an arbitrary time before noon, whereas 
A produces the same output sometime between 10 and 11AM. The notion of a simulation 
relation from A to B provides a sufficient condition for demonstrating that A implements 
Bb. A simulation relation is defined to satisfy three conditions, one relating start states, 
one relating discrete transitions, and one relating trajectories of A and B. 


For parallel composition, the framework provides a composition operation, by which 
TIOAs modeling individual timed system components can be combined to produce a model 


for a larger timed system. The model for the composed system can describe interactions 
among the components, which involves joint participation in discrete transitions. Com- 
position requires certain “compatibility” conditions, namely, that each output action be 
controlled by at most one automaton, and that internal actions of one automaton cannot 
be shared by any other automaton. The composition operation respects traces, for exam- 
ple, if A; implements A2 then the composition of A, and B implements the composition 
of A» and &. Composition also satisfies projection and pasting results, which are funda- 
mental for compositional design and verification of systems: a trace of a composition of 
TIOAs “projects” to give traces of the individual TIOAs, and traces of components are 
“pastable” to give behaviors of the composition. 


A formal modeling framework needs to support the statement and verification of both 
safety and liveness properties if it is to be of general practical use. A safety property 
specifies the absence of certain undesirable events, while a liveness property specifies that 
certain desirable events eventually occur. The TIOA modeling framework defines the 
notions of safety and liveness properties for a TIOA, and what it means for a pair of safety 
and liveness properties to be machine-closed. Machine-closure refers to the condition that 
a liveness property does not impose safety constraints beyond those already imposed by 
the safety property, and is usually considered to be a reasonable condition to satisfy in 
defining safety and liveness properties for a system. 


The proof of many interesting liveness properties for concurrent systems requires some 
assumption about each activity in the system getting “enough” chances to make progress. 
Fairness properties are special kinds of liveness properties that express this informal idea. 
The TIOA framework includes notions of weak and strong fairness, and results that state 
under which conditions the fair traces of a TIOA can be shown to be included in the fair 
traces of another. 


An interesting complication that arises in the timed setting is the possibility that a 
state machine could exhibit the so called Zeno behavior, by allowing time to approach 
a finite point in time without quite reaching it, or by scheduling infinitely many discrete 
actions to happen in a finite amount of time. The TIOA framework includes a notion 
of receptiveness, which is used to classify automata that do not contribute to producing 
Zeno behavior, and which is preserved by composition. Receptiveness of a TIOA, A, in 
the TIOA framework is defined in terms of the existence of a strategy, which is defined as a 
subautomaton of A that chooses some of the evolutions from each state of A. This simple 
notion of a strategy is used also in the statement of results that identify the conditions 
under which the outcome of a system’s interactions with its environment satisfies a liveness 
property. 


The TIOA modeling framework presented in this paper has evolved from the recently 
introduced Hybrid Input/Output Automaton (HIOA) modeling framework for hybrid sys- 
tems [22] by Lynch, Segala and Vaandrager. Our approach is based on the assumption 
that a timed system can be viewed as a special kind of a hybrid system where the contin- 
uous transformation is limited to internal system components that determine the timing 


of events. Therefore, we define a TIOA as a restricted HIOA where the only essential 
difference between an HIOA and a TIOA is that an HIOA may have external variables 
to model the continuous information flowing into and out of the system, in addition to 
state variables. A major consequence of this definition is that the communication between 
TIOAs is restricted to shared-action communication only. The TIOA model does not 
impose any further restrictions on the expressive power of the HIOA model. 


We have undertaken the project of developing this new modeling framework even 
though there are several timed automaton models that extend the basic I/O automaton 
model [29, 36, 27, 25], because we have observed that the new HIOA modeling framework 
of Lynch, Segala and Vaandrager offered a way of improving and simplifying previous 
work on timed I/O automaton models [36, 27, 25]. For example, the use of trajectories as 
first-class objects to represent the external behavior of a timed automaton, the definition 
of a strategy as an automaton rather than a two-player game, and the variable structure 
on states are all new features that were motivated by what we learned in developing the 
HIOA framework and that gave rise to more elegant definitions and simpler proofs for 
timed automata. 


We intend the TIOA model to serve as a general semantic framework in which previous 
results for timed I/O automata [27, 29, 36, 25] and other related models [6, 28, 32, 11] 
can be re-cast in a style that is upwardly compatible with the new HIOA model. Limiting 
the communication to discrete interactions is an apt choice since the previous timed I/O 
automaton models also adopt this type of communication. On the other hand, by avoid- 
ing any further restrictions on the general hybrid model, we obtain an expressive model 
suitable for specifying complex timing behavior. For example, our model does not require 
variables to be either discrete or to evolve at the same rate as real-time as in some other 
models [6, 32]. Consequently, algorithms such as clock synchronization algorithms that 
use local clocks evolving at different and varying rates can be formalized naturally in our 
framework. 


The fact that HIOAs subsume TIOAs as a special class does not eliminate the need 
for having a separate modeling framework for timed systems. First, having no external 
variables in the TIOA model gives rise to considerable simplifications in the theory. For 
example, proving that the composition of two timed automata is a well-defined automaton 
becomes simpler in the absence of external variables; no extra compatibility conditions as 
in the general HIOA framework are needed to obtain the desirable composition theorems 
for TIOAs. 


Second, we believe that focusing on the TIOA model presented in this paper is com- 
patible with our longer-term goal of developing a unified I/O automaton model that can 
address timing-dependent, probabilistic and general hybrid behavior in a common frame- 
work. We are planning to start out with a probabilistic model with discrete interactions 
only, and then extend the model to handle timing-dependent behavior, and only at later 
stages consider continuous interactions. It would be harder to integrate probabilistic mech- 
anisms into the full hybrid model than it would be to integrate them into the TIOA model 


presented here. 


1.2. Related work 


One of the widely-used formal frameworks for timed systems is that of Alur-Dill timed 
automata [6, 4]. An Alur-Dill automaton is a finite directed multigraph augmented with 
a finite set of clock variables. The semantics of such a timed automaton are defined as a 
state transition system in which each state consists of a location and a clock valuation. 
Clocks are assumed to change at the same time as real-time. The aim of facilitating 
automated verification based on reachability analysis seems to be the main motivation 
for the restrictions on the expressive power of the model. The timed automaton model 
presented in this paper is more expressive than the model of Alur-Dill automata. In our 
model, there are no finiteness assumptions and no restrictions imposed on the dynamic type 
of variables. We give a semantics for Alur-Dill automata by using a restricted class of our 
timed automata. Alur-Dill timed automata have been extensively studied with a formal 
language theoretic-view. Our focus, on the other hand, has been to develop a general 
formal framework with a well-defined notion of external behavior, parallel composition 
and abstraction that supports reasoning with simulation relations. 


Uppaal [32, 21] is a widely-used modeling and verification tool for timed systems. It 
supports the description of systems as a network of Alur-Dill timed automata and enhances 
that model with CCS-style communication [30] along with other notions such as committed 
and urgent locations. Uppaal also supports communication via shared variables. Uppaal 
has a sophisticated model-checker that explores the whole state space of the modeled 
system to verify timing properties. Therefore, finiteness assumptions are built into the 
model to make such verification possible and the operations on clocks are restricted. For 
example, it is not possible to add the current value of a clock to a message as a timestamp 
when it is placed in a buffer. One of our plans for the near future is to work on a formal 
semantics for Uppaal based on some variation of our restricted hybrid I/O automaton 
model. There are several small mismatches due to the style of communication and notions 
such as committed locations but we intend to investigate to what extent we can use 
the communication mechanisms of our automata to model these formally. We could, for 
example, allow a non-empty set of external variables with restricted dynamic types and 
seek restrictions on the use of shared variables in Uppaal which would allow us to view 
these variables as external variables in the HIOA sense. 


A slight generalization of Alur-Dill timed automata are the linear hybrid automata 
of [5]. In this model, apart from clocks that progress with rate 1, one can also use 
continuous variables whose derivatives are contained in some arbitrary interval. A well- 
known model checking tool for linear hybrid automata is HyTech [17]. The input language 
of HyTech can easily be translated into our TIOA model. 


The timed I/O automaton modeling framework presented in this paper can be used 
to express models that use lower and upper time bounds on tasks or actions [29, 28]. 


Our framework includes an operation for adding time bounds on a subset of the actions 
of a timed automaton. As a result of this operation, lower bounds are transformed to 
appropriate preconditions for transitions and upper bounds are transformed to stopping 
conditions for trajectories. 


An interesting timed automaton model called “Clock GTA ” has been introduced 
in [11]. The model was used for describing algorithms that behave in accordance with 
their timing constraints in certain intervals but may exhibit timing failures for some other 
intervals. The possibility of expressing such an ability turns out to be crucial for perfor- 
mance and fault-tolerance analysis for practical algorithms [11, 26]. We are interested in 
finding a systematic way of describing such behavior with our new timed I/O automaton 
model. 


1.3. Paper Organization 


The rest of this paper is organized as follows. Section 2 contains mathematical preliminar- 
ies. Section 3 defines notions that are useful for describing the behavior of timed systems, 
most importantly, trajectories and timed sequences. Section 4 defines timed automata 
(TAs), which contain all of the structure of TIOAs except for the classification of external 
actions as inputs or outputs. It also defines external behavior for TAs and implementation 
and simulation relationships between TAs. Section 5 presents composition and hiding op- 
erations for TAs, along with operations for untiming and adding bounds that relate TIOAs 
to other timed automaton models. Section 6 presents definitions and results on the clas- 
sification of properties of TAs as safety and liveness properties. Section 7 defines timed 
I/O automata (TIOAs) by adding an input/output classification to TAs, and extends the 
theory of TAs to TIOAs. It also defines special kinds of TIOAs such as progressive and 
receptive TIOAs. Section 8 presents compositionality results for TIOAs in general, and 
for the special classes of progressive and receptive TIOAs. Section 9 presents a theory 
for properties for TIOAs focusing on receptiveness for properties. Examples are included 
throughout. 


2 Mathematical Preliminaries 


In this section, we give basic mathematical definitions and notation that will be used 
as a foundation for our definitions of timed automata and timed I/O automata. These 
definitions involve functions, sequences, partial orders, and untimed automata. 


2.1 Functions and Relations 


If f is a function, then we denote the domain and range of f by dom(f) and range(f), 
respectively. If also S is a set, then we write f | S for the restriction of f to S, that is, the 
function g with dom(g) = dom(f) MS such that g(c) = f(c) for each c € dom(g). 


We say that two functions f and g are compatible if f | dom(g) = g|dom(f). If 
f and g are compatible functions then we write f Ug for the unique function h with 
dom(h) = dom(f) U dom(g) satisfying the condition: for each c € dom(h), if c € dom(f) 
then h(c) = f(c) and if c € dom(g) then h(c) = g(c). More generally, if F is a set of 
pairwise compatible functions then we write [J F for the unique function h with dom(h) = 
U{dom(f) | f € F} satisfying the condition: for each f € F and c € dom(f), h(c) = f(c). 


If f is a function whose range is a set of functions and S is a set, then we write f | S 
for the function g with dom(g) = dom(f) such that g(c) = f(c) [ S for each c € dom(g). 
The restriction operation | is extended to sets of functions by pointwise extension. Also, 
if f is a function whose range is a set of functions, all of which have a particular element d 
in their domain, then we write f | d for the function g with dom(g) = dom(f) such that 
g(c) = f(c)(d) for each c € dom(g). 


We say that two functions f and g whose ranges are sets of functions are pointwise 
compatible if for each c € dom(f)Mdom(g), f(c) and g(c) are compatible. If f and g have 
the same domain and are pointwise compatible, then we denote by f Ug the function h 
with dom(h) = dom(f) such that h(c) = f(c) Ug(c) for each c. 


A relation over sets X and Y is defined to be any subset of X x Y. If R is a relation, 
then we denote the domain and range of R by dom(R) and range(R), respectively. A 
relation over X and Y is total over X if dom(R) = X. We say that a relation R over X 
and Y is image-finite if for each x € X, R(x) is finite. 


2.2 Sequences 


Let S be any set. A sequence over S is a function from a downward-closed subset of 
Z> to S. Thus, the domain of a sequence is either the set of all positive integers, or is 
of the form {1,...,4} for some k. In the first case we say that the sequence is infinite, 
and in the second case finite. We use |o| to denote the cardinality of dom(c). number 
of elements in o. The sets of finite and infinite sequences over S are denoted by S* and 
S”, respectively. Concatenation of a finite sequence with a finite or infinite sequence is 
denoted by juxtaposition. We use A to denote the empty sequence, that is, the sequence 
with the empty domain. The sequence containing one element c € S is abbreviated as c. 
We say that a sequence a is a prefix of a sequence p, denoted by o < p, if a = p| dom(o). 
Thus, o < p¢ if either o = p, or o is finite and p = oo’ for some sequence o’. If a is a 
nonempty sequence then head(c) denotes the first element of o and tail(a) denotes o with 
its first element removed. Moreover, if o is finite, then last(a) denotes the last element of 
o and init(o) denotes o with its last element removed. Let o and o’ be sequences over S. 
Then o’ is a subsequence of o provided that there exists a monotone increasing function 
f : dom(o’) + dom(o) such that o’(4) = o(f(#)) for all i € dom(o’). If 1 < ji < jo < fol, 
then we define o(j; ...j2) to be the subsequence of o obtained by extracting the elements 
in positions j1,...,J2; that is, o’ is the subsequence obtained from function f of length 
jo —j1 +1, where f(¢) =i+ 71 —1 for all i. 
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2.3. Partial Orders 


We recall some basic definitions and results regarding partial orders, and in particular, 
complete partial orders (cpos) from [15, 16]. A partial order is a set S together with a 
binary relation E that is reflexive, antisymmetric, and transitive. In the sequel, we usually 
denote posets by the set S without explicit mention to the binary relation LC. 


A subset P C S is bounded (above) if there is a c € S such that dC ¢ for each d € P; 
in this case, c is an upper bound for P. A least upper bound (lub) for a subset P C S is an 
upper bound c for P such that c < d for every upper bound d for P. If P has a lub, then 
it is necessarily unique, and we denote it by ||P. A subset P C S is directed if every finite 
subset Q of P has an upper bound in P. A poset S is complete, and hence is a complete 
partial order (cpo) if every directed subset P of S has a lub in S. 


We say that P’ C S dominates P C S, denoted by P EC P’, if for every c € P there 


is some c’ € P’ such that c L c’. We use the following two simple lemmas, adapted from 
[16] [Lemmas 3.1.1 and 3.1.2]. 


Lemma 2.1 If P,P’ are directed subsets of a cpo S and PC P' then||PCLIP’. 


Lemma 2.2 Let P = {qj |i € I,j € J} be a doubly indexed subset of a cpo S. Let P; 
denote the set {c; | j € J} for eachi€ I. Suppose 


1. P is directed, 

2. each P, is directed with lub c;, and 

3. the set {c; |i € I} is directed. 
Then UP = Ufc; | i € I}. 


A finite or infinite sequence of elements, co c, c2..., of a partially ordered set (S,C) 
is called a chain if c; E cj41 for each non-final index 7. We define the limit of the chain, 
lim;_,o0 ¢;, to be the lub of the set {co,c1,c2,...} if S contains such a bound; otherwise, 
the limit is undefined. Since a chain is a special case of a directed set, each chain of a cpo 
has a limit. 


A function f : S + S’ between posets S and S’ is monotone if f(c) CE f(d) whenever 
c Cd. If f is monotone and P is a directed set, then the set f(P) = {f(c) | c € P} is 
directed as well. If f is monotone and f(|_|P) = [|| f(P) for every directed P, then f is 
said to be continuous. 


An element c of a cpo S is compact if, for every directed set P such that c C ||P, 
there is some d € P such that c EC d. We define K(S) to be the set of compact elements 
of S. A cpo S is algebraic if every c € S is the lub of the set {d € K(S) | d CE c}. 
A simple example of an algebraic cpo is the set of finite or infinite sequences over some 
given domain, equipped with the prefix ordering. Here the compact elements are the finite 
sequences. 
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2.4 A Basic Graph Lemma 


Lemma 2.3 Let G be an infinite directed graph that satisfies the following properties. 


1. G has finitely many roots. 
2. Each node of G has finite outdegree. 


8. Each node of G is reachable from some root of G. 


Then, there is an infinite path in G starting from some root. 


Proof: The proof is an extension of Kénig’s Lemma [20]. = 


2.5 Untimed Automata 


An untimed automaton (UA) A is defined as a tuple (Q, 9, £, H,D) which consists of: 


e A set Q of states. 
e A non-empty set O C Q of start states. 


e A set E of external actions and a set H of internal actions, disjoint from each other. 
We write A= EUH. 


e A set DC Qx Ax Q of discrete transitions. 


An execution fragment of an untimed automaton J is either a finite sequence 
$0 G1 $1 G2°** Gy Sn Or an infinite sequence sp a1 $1 a2---, of alternating states and actions of 
A such that (5%, 4441, 5441) is in D for every non-final index k where k > 0. An execution 
fragment beginning with a start state is called an execution. If o is an execution fragment 
of A, then the trace of o is defined as the subsequence of o consisting of all the external 
actions. 


If o is a finite execution fragment of an automaton A and o’ is any execution fragment 
of A that begins with the last state of 0, then we write 0 ~ o’ to represent the sequence 
obtained by concatenating o and o’, eliminating the duplicate occurrence of the last state 
of o. It is easy to see that, o ~ a’ is also an execution fragment of A. 


3 Describing Timed System Behavior 


In this section, we give basic definitions that are useful for describing discrete and con- 
tinuous changes to the system’s state. The key notions are static and dynamic types for 
variables, trajectories, and hybrid sequences. Most of the material in this section comes 
from the paper on the HIOA modeling framework [22]. The reader is referred to [22] for 
the proofs that are not included here. 
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3.1 Time 


Throughout this paper, we fix a time aris T, which is a subgroup of (R,+), the real 
numbers with addition. We assume that every infinite, monotone, bounded sequence of 
elements of T has a limit in T. The reader may find it convenient to think of T as the set 
R of real numbers, but the set Z of integers and the singleton set {0} are also examples of 


allowed time axes. We define T2° = {t € T | t > O}. 


An interval J is a nonempty, convex subset of T. We denote intervals as usual: [t1, t2] = 
{ET | ti <t < to}, [t1,t2) = {t © T| th < t < te} etc. An interval J is left-closed 
(right-closed) if it has a minimum (resp., maximum) element, and left-open (right-open) 
otherwise. It is closed if it is both left-closed and right-closed. We write min(J) and max(J) 
for the minimum and maximum elements, respectively, of an interval J (if they exist), and 
inf(J) and sup(J) for the infimum and supremum, respectively, of J in RU {—o0, co}. 
For K C T and t € T, we define K +t = {t’+t]| t’ € K}. Similarly, for a function f 
with domain K, we define f +¢ to be the function with domain K +¢ satisfying, for each 
te K +t, (f+) =f —-t). 

In some definitions and theorems in the paper where we use R as the time domain we 
assume that the relation < on R extends to a relation on RU {oo} such that oo < oo and 
for allt ER, t < ow. 


3.2 Static and Dynamic Types 


We assume a universal set V of variables. A variable represents a location within the state 
of a system. For each variable v, we assume both a (static) type, which gives the set of 
values it may take on, and a dynamic type, which gives the set of trajectories it may follow. 
Formally, for each variable v we assume the following: 


e type(v), the (static) type of v. This is a nonempty set of values. 


e dtype(v), the dynamic type of v. This is a set of functions from left-closed intervals 
of T to type(v) that satisfies the following properties: 


1. (Closure under time shift) 
For each f € dtype(v) andt € T, f +t © dtype(v). 

2. (Closure under subinterval) 
For each f € dtype(v) and each left-closed interval J C dom(f), f[J € 
dtype(v). 

3. (Closure under pasting) 
Let fo fi fa,... be a sequence of functions in dtype(v) such that, for each index i 
such that f; is not the final function in the sequence, dom(f;) is right-closed and 
max(dom(f;)) = min(dom(fj41)). Then the function f defined by f(t) = f;(t), 
where 7 is the smallest index such that ¢ € dom(f;), is in dtype(v). 
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Example 3.1 (Discrete variables) Let v be any variable and let Constant be the set 
of constant functions from a left-closed interval of T to type(v). Then Constant is closed 
under time shift and subinterval. If the dynamic type of v is obtained by closing Constant 
under the pasting operation, then v is called a discrete variable. This is essentially the 
same as the definition of a discrete variable in [28]. = 


Example 3.2 (Analog variables) Assume that T = R. Let v be any variable whose 
static type is an interval of R and Continuous be the set of continuous functions from 
a left-closed interval of T to type(v). Then Continuous is closed under time shift and 
subinterval. If the dynamic type of v is obtained by closing Continous under the pasting 
operation, then v is called an analog variable. | 


Example 3.3 (Standard real-valued function classes) If we take T = Rand type(v) = 
R, then other examples of dynamic types can be obtained by taking the pasting closure of 
standard function classes from real analysis, the set of differentiable functions, the set of 
functions that are differentiable k times (for any k), the set of smooth functions, the set 
of integrable functions, the set of LZ? functions (for any p), the set of measurable locally 
essentially bounded functions [37], or the set of all functions. a 


Standard function classes are closed under time shift and subinterval, but not under 
pasting. A natural way of defining a dynamic type is as the pasting closure of a class of 
functions that is closed under time shift and subinterval. In such a case, it follows that 
the new class is closed under all three operations. 


3.3. Trajectories 


In this subsection, we define the notion of a trajectory, define operations on trajectories, 
and prove simple properties of trajectories and their operations. A trajectory is used to 
model the evolution of a collection of variables over an interval of time. 


3.3.1 Basic Definitions 


Let V be a set of variables, that is, a subset of V. A valuation v for V is a function that 
associates with each variable v € V a value in type(v). We write val(V) for the set of 
valuations for V. Let J be a left-closed interval of T with left endpoint equal to 0. Then a 
J-trajectory for V is a function 7 : J > val(V), such that for each v € V, 7 | v € dtype(v). 
A trajectory for V is a J-trajectory for V, for any J. We write trajs(V) for the set of all 
trajectories for V. 


A trajectory for V with domain [0,0] is called a point trajectory for V. If v isa 
valuation for V then o(v) denotes the point trajectory for V that maps 0 to v. We say 
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that a J-trajectory is finite if J is a finite interval, closed if J is a (finite) closed interval, 
open if J is a right-open interval, and full if J = T2°. If T is a set of trajectories, then 
finite(T), closed(T), open(T), and full(T) denote the subsets of T consisting of all the 
finite, closed, open, and full trajectories in T', respectively. 


If 7 is a trajectory then r./time, the limit time of 7, is the supremum of dom(r). We 
define 7.fuval, the first valuation of 7, to be 7(0), and if 7 is closed, we define 7.lval, the 
last valuation of T, to be T(7.ltime). For 7 a trajectory and t € T2°, we define 


rit = 7/0, 
rit = 70,2), 
rot = (r[t,0o))-t 


Note that, since dynamic types are closed under time shift and subintervals, the result of 
applying the above operations is always a trajectory, except when the result is a function 
with an empty domain. By convention, we also write T < co 27 and 7 <d00 =7. 


3.3.2 Prefix Ordering 


Trajectory 7 is a prefix of trajectory v, denoted by 7 < v, ifr can be obtained by restricting 
v to a subset of its domain. Formally, if 7 and v are trajectories for V, then 7 < v iff 
Tt =v[dom(r). Alternatively, 7 < v iff there exists a t € T2° U {oo} such that tr =v <t 
or 7 =v<t. If < v then clearly dom(r) C dom(v). If T is a set of trajectories for V, 
then pref (T) denotes the prefix closure of T, defined by: 


pref(T) = {7 € trajs(V) | qv eT: 7 <v}. 


We say that T is prefix closed if T = pref (T). 


The following lemma gives a simple domain-theoretic characterization of the set of 
trajectories over a given set V of variables: 


Lemma 3.4 Let V be a set of variables. The set trajs(V) of trajectories for V, together 
with the prefiz ordering <, is an algebraic cpo. Its compact elements are the closed trajec- 
tories. 


3.3.3 Concatenation 


The concatenation of two trajectories is obtained by taking the union of the first trajectory 
and the function obtained by shifting the domain of the second trajectory until the start 
time agrees with the limit time of the first trajectory; the last valuation of the first 
trajectory, which may not be the same as the first valuation of the second trajectory, is 
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the one that appears in the concatenation. Formally, suppose 7 and 7’ are trajectories for 
V, with 7 closed. Then the concatenation tT ~ 7’ is the function given by 


tT U(r’ [(0, co) + 7.ltime). 


Because dynamic types are closed under time shift and pasting, it follows that 7 ~ 7’ is a 
trajectory for V. Observe that 7 ~ 7’ is finite (resp., closed, full) if and only if 7’ is finite 
(resp., closed, full). Observe also that concatenation is associative. 


The following lemma, which is easy to prove, shows the close connection between 
concatenation and the prefix ordering. 


Lemma 3.5 Let 7 and v be trajectories for V with t closed. Then 


/ laa | 
| ep a — = a ns a 


Note that if r < v, then the trajectory 7’ such that v = 7~ 7’ is unique except that it has 
an arbitrary value for 7’.fual. Note also that the “=” implication in Lemma 3.5 would 
not hold if the first valuation of the second argument, rather than the last valuation of 
the first argument, were used in the concatenation. 


We extend the definition of concatenation to any (finite or countably infinite) number 
of arguments. Let 7) 71 72... be a (finite or infinite) sequence of trajectories such that 7; 


is closed for each nonfinal index 7. Define trajectories 7), 7{,75,... inductively by 
A 
To = TO; 
A ~ ‘ 
Ti41 = 7 ~ 741 for nonfinal i. 


Lemma 3.5 implies that for each nonfinal i, 7; < 7),,. We define the concatenation 


T) ~~ T1 T2:++ to be the limit of the chain 7) 7] 75 ...; existence of this limit follows from 
Lemma 3.4. 


3.4 Hybrid Sequences 


In this subsection, we introduce the notion of a hybrid sequence, which is used to model a 
combination of changes that occur instantaneously and changes that occur over intervals 
of time. Our definition is parameterized by a set A of actions, which are used to model 
instantaneous changes and instantaneous synchronizations with the environment, and a 
set V of variables, which are used to model changes over intervals of time. We also define 
some special kinds of hybrid sequences and some operations on hybrid sequences, and give 
basic properties. 


16 


3.4.1 Basic Definitions 


Fix a set A of actions and a set V of variables. An (A, V)-sequence is a finite or infinite 
alternating sequence a@ = 70 G1 T1 a2 T2..., where 

1. each 7; is a trajectory in trajs(V), 

2. each a; is an action in A, 

3. if a is a finite sequence then it ends with a trajectory, and 


4. if 7; is not the last trajectory in a then dom(7;) is closed. 


A hybrid sequence is an (A, V)-sequence for some A and V. 


Since the trajectories in a hybrid sequence can be point trajectories our notion of 
hybrid sequence allows a sequence of discrete actions to occur at the same real time, with 
corresponding changes of variable values. An alternative approach is described in [34], 
where state changes at a single real time are modeled using a notion of “superdense time”. 
Specifically, hybrid behavior is modeled in [34] using functions from an extended time 
domain, which includes countably many elements for each real time, to states. 


If aw is a hybrid sequence, with notation as above, then we define the limit time of a, 
a.ltime, to be )>, 7%j.ltime. A hybrid sequence a is defined to be: 


e time-bounded if a.ltime is finite. 
e admissible if a.ltime = oo. 


e closed if a is a finite sequence and the domain of its final trajectory is a closed 
interval. 


e Zeno if a is neither closed nor admissible, that is, if @ is time-bounded and is either 
an infinite sequence, or else a finite sequence ending with a trajectory whose domain 
is right-open. 


e non-Zeno if a is not Zeno. 


For any hybrid sequence a, we define the first valuation of a, a.fval, to be head(a).fval. 
Also, if a is closed, we define the last valuation of a, a.lval, to be last(a).lval, that is, the 
last valuation in the final trajectory of a. 


If a is a hybrid sequence of the form 7 a1 71 a2 T2..., we use actions(a) to denote the 
sequence a1 G2 a3 ..., which is obtained by discarding the trajectories in a. 


If a is a closed (A,V)-sequence, where V = ( and 6 € trajs(0), we calla ~ Ba 
time-extension of a. 
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3.4.2 Prefix Ordering 


We say that (A, V)-sequence a = 79 a1 71... is a prefix of (A, V)-sequence 8 = v9 b v1 ..., 
denoted by a < §, provided that (at least) one of the following holds: 


la=8. 


2. ais a finite sequence ending in some 7%; 7 = UV; and aj41 = bj4, for every 1,0 <i <k; 
and Tp < Ur. 


Like the set of trajectories over V, the set of (A, V)-sequences is an algebraic cpo: 


Lemma 3.6 Let V be a set of variables and A a set of actions. The set of (A,V)- 
sequences, together with the prefix ordering <, is an algebraic cpo. Its compact elements 
are the closed (A, V)-sequences. 


3.4.3. Concatenation 


Suppose a and a’ are (A, V)-sequences with a closed. Then the concatenation a~ a’ is 
the (A, V)-sequence given by 


aa’ = init(a) (last(a) ~ head(a’)) tail(a’). 


(Here, init, last, head and tail are ordinary sequence operations.) 


Lemma 3.7 Let a and B be (A,V)-sequences with a closed. Then 


ax<B © Jd’ :B=a a. 


Note that if a < 6, then the (A,V)-sequence a’ such that 8 = a~ a’ is unique except 
that it has an arbitrary value in val(V) for a’.fval. 


As we did for trajectories, we extend the concatenation definition for (A, V )-sequences 
to any finite or infinite number of arguments. Let ag a, ... be a finite or infinite sequence 
of (A, V)-sequences such that a; is closed for each nonfinal index i. Define (A, V)-sequences 
ap, a,,... inductively by 


/ 
Ao Qo; 


> [lb 


ay a, ~ ay41 for nonfinal i. 


Lemma 3.7 implies that for each nonfinal i, a, < aj,,. We define the concatenation 
ag ~ a,--- to be the limit of the chain aga‘ ...; existence of this limit is ensured by 
Lemma 3.6. 
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3.4.4 Restriction 


Let A and A’ be sets of actions and let V and V' be sets of variables. The (A’, V’)- 
restriction of an (A, V)-sequence a, denoted by a[(A’, V’), is obtained by first projecting 
all trajectories of a on the variables in V’, then removing the actions not in A’, and finally 
concatenating all adjacent trajectories. Formally, we define the (A’, V’)-restriction first 
for closed (A, V)-sequences and then extend the definition to arbitrary (A, V )-sequences 
using a limit construction. The definition for closed (A, V)-sequences is by induction on 
the length of those sequences: 


T[(A’,.V’) = rIV’ ifr isa single trajectory, 
er ae (af(A,V’))a(r7 LV’) ifae A’, 
eal { (IAL) Ve otherwise: 


It is easy to see that the restriction operator is monotone on the set of closed (A, V)- 
sequences. Hence, if we apply this operation to a directed set, the result is again a directed 
set. Together with Lemma 3.6, this allows us to extend the definition of restriction to 
arbitrary (A, V)-sequences by: 


a[(A’,V’) = Uf{B[(A',V’) | B is a closed prefix of a}. 
Lemma 3.8 (A’,V')-restriction is a continuous operation. 
Lemma 3.9 (ag ~ a1 ~-:-) [(A,V) = a0 [(A,V) ~ ay [(A,V) ~.... 
Lemma 3.10 (a[(A,V)) [(A’,V’) =a[(AN AV OV’). 
Lemma 3.11 Let a be a hybrid sequence A a set of actions and V a set of variables. 
1. a is time-bounded if and only if a[(A,V) ts time-bounded. 
2. a is admissible if and only if a[(A,V) is admissible. 


3. If a is closed then a[(A,V) ts closed. 


4. If a is non-Zeno then a[(A,V) is non-Zeno. 


Example 3.12 (A Zeno execution with a closed (A,V)-restriction) In order to 
understand why we have an implication in only one direction in items 3 and 4, consider the 
Zeno sequence a of the form o(v) ag(v)ap(v).... Let A be a set such that a ¢ A and let 
V consist of the variables in dom(v). Obviously, a[(A,V), which is o(v), is closed, and 
hence also non-Zeno. This shows that the fact that a[(A,V) is closed (resp., non-Zeno) 
does not imply that a is closed (resp., non-Zeno). a 
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4 Timed Automata 


In this section, as a preliminary step toward defining timed I/O automata, we define a 
slightly more general timed automaton model. In timed automata, actions are classified as 
external or internal, but external actions are not further classified as input or output; the 
input/output distinction is added in Section 7. We define how timed automata execute 
and define implementation and simulation relations between timed automata. 


4.1 Definition of Timed Automata 


A timed automaton is a state machine whose states are divided into variables, and that 
has a set of discrete actions, some of which may be internal and some external. The state 
of a timed automaton may change in two ways: by discrete transitions, which change 
the state atomically, and by trajectories, which describe the evolution of the state over 
intervals of time. The discrete transitions are labeled with actions; this will allow us to 
synchronize the transitions of different timed automata when we compose them in parallel. 
The evolution described by a trajectory may be described by continuous or discontinuous 
functions. 


Formally, a timed automaton (TA) A = (X,Q, 0, E,H,D,T) consists of: 


A set X of internal variables. 


A set Q C val(X) of states. 


e A nonempty set O C Q of start states. 


A set FE of external actions and a set H of internal actions, disjoint from each other. 
We write A= EUH. 


e A set DCQx Ax Q of discrete transitions. 
We use x 4.4 x’ as shorthand for (x,a,x’) € D. Here and elsewhere, we sometimes 
drop the subscript and write x + x’, when we think A should be clear from the 
context. We say that a is enabled in x if x 4 x’ for some x’. We say that a set C 
of actions is enabled in a state x if some action in C is enabled in x. 


e A set 7 of trajectories for X such that v(t) € Q for every rt € T and t € dom(r). 
Given a trajectory 7 € 7 we denote 7.fval by r.fstate and, if 7 is closed, we denote 
t.lval by 7.lstate. When 7.fstate = x and 7.lstate = x’, we sometimes write x > 4 x’. 
We require that the following axioms hold: 


TO (Existence of point trajectories) 
If x € Q then g(x) € T. 
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T1 (Prefix closure) 
For every tT € JT and every 7! <7, 7' €T. 


T2 (Suffix closure) 
For every tT € T and every t € dom(r), TE tET. 


T3 (Concatenation closure) 
Let 7) 71 T2 ... be a sequence of trajectories in TJ such that, for each nonfinal 
index 7, 7; is closed and 7;.lstate = 7;41.fstate. Then 7 ~ 7 ~ 72°: € T. 


Thus, a timed automaton is essentially a hybrid automaton in the sense of [22] in 
which W, the set of external variables, is empty. (The only difference is the addition of 
the axiom TO, which does not affect any of the results of [22].) This definition differs from 
previous definitions of timed automata [25, 36] in two major respects. First, the states are 
structured using variables, which have dynamic types with specific closure properties. The 
variable structure is convenient for writing specifications and the dynamic types are useful 
in analyzing continuous evolution of the state. Second, the set of trajectories is defined 
as an explicit component of an automaton. In the previous definitions, time-passage was 
represented by special time-passage actions and trajectories were defined implicitly, as 
auxiliary functions describing the effects of time-passage actions on states. 


Notation: We often denote the components of a TA A by Xy4, Qu, Ou, Ey, etc., and 
the components of a TA A; by X;, Q;, O;, Ej, etc. We sometimes omit these subscripts, 
where no confusion seems likely. In examples we typically specify sets of trajectories using 
differential and algebraic equations and inclusions. Below we explain a few notational 
conventions that help us in doing this. Suppose the time domain T is R, 7 is a (fixed) 
trajectory over some set of variables V, and v € V. With some abuse of notation, we use 
the variable name v to denote the function 7 | v in dom(r) > type(v), which gives the 
value of v at all times during trajectory 7. Similarly, we view any expression e containing 
variables from V as a function with domain dom(r). Suppose that v is a variable and e is 
a real-valued expression containing variables from V. Using these conventions we can say, 
for example, that 7 satisfies the algebraic equation 


v = e€ 


which means that, for every t € dom(r), v(t) = e(t), that is, the constraint on the variables 
expressed by the equation v = e holds for each state on trajectory 7. Now suppose also 
that e, when viewed as a function, is integrable. Then we say that 7 satisfies 


div) = e 
if, for every t € dom(r oe )+ foel (t')dt'. Equivalently, for every t1,t2 € dom(r) 
such that t) < te, v(t2) a ee e(t')dt’. Note that this interpretation of the differential 
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equation makes sense even at points where v is not differentiable. A similar interpretation 
of differential equations is used by Polderman and Willems [35], who call functions defined 
in this way “weak solutions”. 


We generalize this notation to handle inequalities as well as equalities. Suppose that vu 
is a variable and e is a real-valued expression containing variables from V. The inequality 


e < v 


means that, for every t € dom(r), e(t) < v(t). That is, the constraint expressed by the 
inequality e < v holds for each state of trajectory 7. Similarly, the inequality 


v < e 


means that, for every t € dom(r), v(t) < e(t). Now suppose that e is integrable when 
viewed as a function. Then we say that 7 satisfies 


e < dv) 


if, for every t1,t2 € dom(r) such that t, < to, v(t1) + ie e(t')dt’ < v(t), and 7 satisfies 


if, for every t1,t2 € dom(r) such that t, < tg, v(te) < v(t1) + s e(t’)dt’. 


Conventions for automata specifications: In all the examples of this paper we as- 
sume that T = R. The static type of a variable v is always written explicitly. Discrete and 
analog variables are designated using the keywords discrete and analog respectively. The 
definition of what it means for a variable to be discrete or analog is given in Examples 3.1 
and 3.2. Although timed automata may contain variables that are neither discrete nor 
analog, none of our examples use such variables. 


The transitions are specified in precondition-effect style. A precondition clause spec- 
ifies the enabling condition for an action. The effect clause contains a list of statements 
that specify the effect of performing that action on the state. All the statements in an 
effect clause are assumed to be executed sequentially in a single indivisible step. The 
absence of a specified precondition for an action means that the action is always enabled 
and the absence of a specified effect means that performing the action does not change 
the state. 


The trajectories are specified by using a variation of the language presented in [31]. A 
satisfies clause contains a list of predicates that must be satisfied by all the trajectories. 
This clause is followed by a stops when clause. If the predicate in this clause becomes 
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Automaton TimedChannel(b, M) where b € Rt 


Variables X : discrete queue, a finite sequence of elements of M x R initially empty 
analog now € R initially 0 


States Q: val(X ) 
Actions A: external send(m), receive(m) where m € M 
Transitions D: external send(m) 

effect 


add (m, now + b) to queue 


external receive(m) 

precondition 
du. (m,u) is first element of queue 
effect 

remove first element of queue 


Trajectories 7: satisfies 
constant (queue) 
d(now) = 1 
stops when 
A(m,u) € queue. (now = u) 


Figure 1: Time-bounded channel 


true at a point t in time, then t must be the limit time of the trajectory. When there is 
no stopping condition for trajectories we omit the stops when clause. We write d(v) =e 
for d(v) =e, d(v) < e for d(v) < e and e < d(wv) for e < d(v). If the value of a variable is 
constant throughout a trajectory then we write constant(v). If the evolution of a variable 
follows a continuous function throughout a trajectory then we write continuous(v). 


Example 4.1 (Time-bounded channel) The automaton in Figure 2 is the specifica- 
tion of a reliable FIFO channel that delivers its messages within a certain time bound, 
represented by the automaton parameter b of type Rt. The other automaton parameter 
M is an arbitrary type parameter that represents the type of messages communicated by 
the channel. 


The discrete variable queue is used to hold pairs consisting of a message that has been 
sent and its delivery deadline. The analog variable now is used to describe real time. 


Every send(m) transition adds to the queue a new pair whose first component is m 
and whose second component is the deadline now + 6. A receive(m) transition can occur 
only when m is the first message in the queue and it results in the removal of the first 
message from the queue. 
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automaton TimedChannel(b: Real, M) 


signature 

external send(m), receive(m) where m € M 
states 

queue: Queue[M] := {} 

now: Real := 0 


initially b> 0 
transitions 
external send(m) 


eff 
queue:= append((m,nowtb) , queue) 
external receive(m) 
pre 
\exists u (m,u) = head(queue) 
eff 
queue := tail (queue) 
trajectories 
stop when \exists (m,u) € queue (now = wu) 
evolve 


dd (now = tt 


Figure 2: Time-bounded channel 


The trajectory specification shows that the discrete variable queue is kept constant 
by trajectories and that the variable now increases with rate 1, that is, at the same rate 
as real time. The stopping condition implies that, within a trajectory, time cannot pass 
beyond the point where now becomes equal to the delivery deadline of some message in 
the queue. 


Example 4.2 (Periodic sending process) The automaton in Figure 3 is the speci- 
fication of a process that sends messages periodically, every u time units, where wu is an 
automaton parameter of type R29. The type parameter M represents the type of the 
messages sent by the process. 


The analog variable clock is a timer whose value records the amount of time that has 
elapsed since it was last reset to 0. A send(m) transition can occur only when clock = u, 
and it causes clock to be reset. The trajectory specification says that clock increases at 
the same rate as real time and time cannot pass beyond the point where clock = u. 


Example 4.3 (Periodic sending process with failures) The specification of the 
PeriodicSend(u, M) process from Example 4.2 does not model failures. We now consider 
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Automaton PeriodicSend(u,M) where u € R2° 


Variables X : analog clock € R initially 0 
States Q: val(X) 
Actions A: external send(m) where m € M 
Transitions D: external send(m) 
precondition 
clock = u 
effect 
clock := 0 


Trajectories 7: satisfies 
d(clock) =1 
stops when 
clock = u 


Figure 3: Periodic sending process 


a variant of PeriodicSend(u,M) where the process may fail and stop doing any discrete 
actions. The specification of this new automaton is given in Figure 4. 


The discrete variable failed in automaton PeriodicSend2 is a boolean flag that records 
whether the process is failed. It is initialized to false and is set to true when a fail 
action occurs. The trajectory specification of PeriodicSend2 shows that time can advance 
without any bound when the process is failed. 


Example 4.4 (Timeout process) The automaton Timeout(u,M) in Figure 5 is the 
specification of a process that awaits the receipt of a message from another process. If 
u time units elapse without such a message arriving, Timeout(u,M) performs a timeout 
action, thereby “suspecting” the other process. When a message arrives it “unsuspects” 
the other process. Timeout(u,M) may suspect and unsuspect repeatedly. 


The discrete variable suspected is a flag that shows whether Timeout(u,M) suspects 
that the other process is failed. The variable clock is a timer that records the amount of 
time that has elapsed since the receipt of the last message. 


A receive(m) transition can occur at any time; this causes the variable clock to be 
reset and the flag suspected to be set to false. If clock reaches u before the arrival of a 
message then the timeout action becomes enabled. The process sets suspected to true as 
a result of a timeout. 


The discrete variable suspected remains constant throughout each trajectory. The 
trajectory specification also shows that clock increases at the same rate as real time and, 
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Automaton PeriodicSend2(u, M@) where u € Rt 


Variables X : discrete failed € Bool initially false 
analog clock € R initially 0 


States Q: val(X ) 


Actions A: external send(m) where m € M 
external fail 


Transitions D: external send(m) 
precondition 
afailed 
clock = u 
effect 
clock := 0 


external fail 
effect 
failed := true 


Trajectories 7: satisfies 
constant (failed) 
d(clock) =1 
stops when 
7 failed and clock = u 


Figure 4: Periodic sending process with failures 


if suspected = false, then time cannot go beyond the point where clock = u. Note that if 
suspected = true, there is no restriction on the amount of time that can elapse. 


Example 4.5 (Fischer’s mutual exclusion algorithm) The automaton presented in 
Figures 6 and 7 is the specification of a shared memory mutual exclusion algorithm which 
uses a single shared variable that can be read and written by all the participants. The 
automaton parameters tse; and Iopeck represent upper and lower time bounds for the set; 
and check; actions respectively. We assume that tse¢ < check. The parameter I represents 
the set of indices of processes that participate in the algorithm and is required to be finite. 


The shared variable z can be assigned any value in J or the special value L. Ifa 
process is in the critical region, then the variable « contains the index of that process. If 
all users are in the remainder region, then the variable x contains the value L. The array 
variable pc records the program counters of all processes. The array variable lastset keeps 
track of the deadlines by which the processes’ set actions must occur. Similarly, the array 
variable firstcheck keeps track of the earliest time the processes’ check actions may occur. 
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Automaton Timeout(u, M) where u € Rt 


Variables X : discrete suspected € Bool initially false 
analog clock € R initially 0 


States Q: val(X ) 


Actions A: external receive(m) where m € M 
external timeout 


Transitions D: external receive(m) 
effect 
clock := 0 


suspected := false 


external timeout 
precondition 
7 suspected 
clock = u 
effect 
suspected := true 


Trajectories 7: satisfies 
constant (suspected) 
d(clock) =1 
stops when 
clock = u and — suspected 


Figure 5: Timeout 


The analog variable now models real time. 


The transition definitions for external actions try;, test;, crit;, exit; are straightforward. 
When a process performs one of these actions, its program counter is updated to record 
the region entered by the process. The most interesting transition definitions are test;, set; 
and check; since they are the ones that involve timing constraints of the algorithm. When 
a process 7 performs a test action and observes x to be L, it sets lastset[7] to now + User. 
This sets the deadline for the performance of the set; action. Note that this deadline is 
enforced through the stopping condition in the trajectory specification. The transition 
set; sets firstcheck[i] to now + Icheck- The value of firstcheck[i] determines the earliest 
time check; may occur. The check; action is enabled only when the current time has at 
least this value. 


The trajectory specification says that the values of discrete variables are kept constant 
by trajectories. The stopping condition implies that if the value of now reaches the value 
of lastset{i] for some process 7 at some point in time, then that point must be the limit 
time of the trajectory. 
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Type PcValue = enumeration of rem, test, set, check, leavetry, crit, leaveexit 


Automaton FischerM E(uset,leneck, 1) where tset € R7°, leneck € R7°, set < leheck 


Variables X: discrete x € IU {1} initially L 

discrete pc, an array of elements of PcValue indexed by I 
initially Vi € I. pc[i] = rem 

discrete lastset, an array of elements of RU {oo} indexed by I 
initially Vi € I. lastset[i] = 00 

discrete firstcheck, an array of elements of type R 
initially Vi € I. firstcheck{i] = 0 

analog now € R initially 0 


States Q: val(X ) 


Actions A: external try;, crit;, exit;, rem; 
internal test;, set;, check;, reset; where i € I 


Figure 6: Fischer’s mutual exclusion algorithm: Variables, states, and actions 


Example 4.6 (Clock synchronization) The automaton in Figure 8 is the specification 
of a single process in a clock synchronization algorithm. Each process has a physical clock 
and generates a logical clock. The goal of the algorithm is to achieve “agreement” and 
“validity” among the logical clock values. Agreement means that the logical clocks are 
close to one another. Validity means that the logical clocks are within the range of the 
physical clocks. 


The algorithm is based on the exchange of physical clock values between different 
processes in the system. The parameter u determines the frequency of sending messages. 
Processes in the system are indexed by the elements of a finite set I. ClockSync(u, p), has 
a physical clock physclock, which may drift from the real time with a drift rate bounded 
by p. It uses the variable mazother to keep track of the largest physical clock value of the 
other processes in the system. The variable neztsend records when it is supposed to send 
its physical clock to the other processes. The logical clock, logclock, is defined to be the 
maximum of mazother and physclock. Formally logclock is a derived variable, which is a 
function whose value is defined in terms of the state variables. 


A send(m), transition is enabled when m = physclock and nextsend = physclock. It 
causes the value of nextsend to be updated so that the next send can occur when physclock 
has advanced by u time units. The transition definition for receive(m), ; specifies the effect 
of receiving a message from another process j in the system. Upon the receipt of a message 
m from j, i sets maxother to the maximum of m and the current value of mazother, thereby 
updating its knowledge of the largest physical clock value of other processes in the system. 


The trajectory specification is slightly different from that in the previous examples. In 
this example, the analog variable physclock does not change at the same rate as real time 
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Transitions D: external try; 


precondition 
peli] = rem 
effect 
pct] := test 


internal test; 
precondition 
pelt] = test 
effect 
if ¢ =1 then 
pci] := set 


lastset [i] := now + Uset 


internal set; 


precondition 
pelt] = set 
effect 
Gi=t 
pci] := check 
lastset[i] := 00 


firstcheck|i] := now + leheck 


internal check; 
precondition 
pcli] = check 


now > firstcheck{i] 


effect 
if ¢ =i then 


peli] := leavetry 


else 
peli] := test 


Trajectories 7: satisfies 
constant 
constant 
constant 
constant 
d(now) =1 

stops when 


x) 
pe) 


Se a pol 


lastset) 
firstcheck) 


di € I. now = lastset[t] 


external crit; 


precondition 
pelt] = leavetry 
effect 
pelt] := crit 


external exit; 


precondition 
pelt] = crit 
effect 
pelt] := reset 


internal reset; 
precondition 
pelt] = reset 
effect 
gel 
pelt] := leaveexit 


external rem; 


precondition 
pelt] = leaveexit 
effect 
pelt] := rem 


Figure 7: Fischer’s mutual exclusion algorithm: Transitions and trajectories 


Automaton ClockSync(u, p); where u€ Rt,0<p<1iel 


Variables X : analog physclock € R initially 0 
discrete nextsend € R initially 0 
discrete mazother € R initially 0 


Derived variables: logclock = max(maxother, physclock) 


States Q: val(X) 
Actions A: external send(m);,receive(m);,; where me R, j ET, j Fi 
Transitions D: external send(m); 

precondition 


m = physclock 

physclock = nextsend 
effect 

nextsend := nextsend + u 


external receive(m) ;,i 
effect 
mazxother := maxz(mazxother,m) 


Trajectories 7 : satisfies 
constant (nextsend) 
constant (mazother) 
continuous (physclock) 
1—p < d(physclock) <1+p 
stops when 
physclock = nextsend 


Figure 8: Clock synchronization 
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but it drifts with a rate that is bounded by p. The periodic sending of physical clocks to 
other processes is enforced through the stopping condition in the trajectory specification. 
Time is not allowed to pass beyond the point where physclock = nextsend. 


4.2 Executions and Traces 


We now define execution fragments, executions, trace fragments, and traces, which are 
used to describe automaton behavior. An execution fragment of a timed automaton A is 
an (A,V)-sequence @ = 7 a1 T; G2 T2..., where (1) each 7; is a trajectory in J, and (2) 
if 7; is not the last trajectory in a then 7;.lstate = Ti41-fstate. An execution fragment 
records what happens during a particular run of a system, including all the instantaneous, 
discrete state changes and all the changes to the state that occur while time advances. We 
write frags, for the set of all execution fragments of A. 


If a is an execution fragment, with notation as above, then we define the first state of 
a, a.fstate, to be a.fual. An execution fragment of a timed automaton A from a state x 
of A is an execution fragment of A whose first state is x. We write frags 4(x) for the set of 
execution fragments of A from x. An execution fragment a is defined to be an execution if 
a.fstate is a start state, that is, a.fstate € O. We write execs, for the set of all executions 
of A. If a is a closed (A, V)-sequence then we define the last state of a, a.lstate, to be 
a.lval. 


If a is an execution fragment, then { is a suffix of a provided that there exists a’ such 
that a’ ~ B =a and a’ Istate = B.fstate. 


A state of A is reachable if it is the last state of some closed execution of A. A property 
that is true for all reachable states of an automaton is called an invariant assertion, or 
invariant, for short. 


Lemma 4.7 Let aga, ... be a finite or infinite sequence of execution fragments of A such 
that, for each nonfinal index 1, a; is closed and a;.lstate = aj41.fstate. Then ag” a,~-:- 
is an execution fragment of A. 


Proof: Follows easily from the definitions, using axiom T3. | 


Lemma 4.8 Let a and £ be execution fragments of A with a closed. Then 


a<B © da’ € frags ,:B =a™~ a’. 
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Proof: Implication “<=” follows directly from the corresponding implication in Lemma 3.7. 
Implication “=” follows from the definitions and T2. | 


The external behavior of a timed automaton is captured by the set of “traces” of 
its execution fragments, which record external actions and the trajectories that describe 
the intervening passage of time. A trace consists of alternating external actions and 
trajectories over the empty set of variables, 0; the only interesting information contained 
in these trajectories is the amount of time that elapses. 


Formally, if a is an execution fragment, then the trace of a, denoted by trace(a), is 
the (E,)-restriction of a, a[(£,0). A trace fragment of a timed automaton A from a 
state x of A is the trace of an execution fragment of A whose first state is x. We write 
tracefrags 4(x) for the set of trace fragments of A from x. Also, we define a trace of A to 
be a trace fragment from a start state, that is, the trace of an execution of A, and write 
traces, for the set of traces of A. 


In the earlier timed automaton models [25, 36], execution fragments were defined in a 
similar style to the one presented here, that is, as an alternating sequence of trajectories 
and actions. However, the traces were not derived from execution fragments by a simple 
restriction to external actions and the empty set of variables. Rather, a trace was defined 
as a sequence consisting of actions paired with their time of occurrence together with 
a limit time. The new definition increases uniformity; the definitions, results and proof 
techniques for hybrid sequences apply to both execution fragments and traces. 


We now revisit some of the automata presented earlier in this section and give sample 
executions and traces for these automata. 


Example 4.9 (Periodic sending process) Consider the automaton PeriodicSend(u, M) 
from Example 4.2 where u is instantiated to the real number 3 and the message type pa- 
rameter M is instantiated to the set {m;, mg...}. The following sequence is an execution 
of the automaton: 


Q = 79 send(mz) 71 send(meg) T2 send(mg) 73 ... 


where 7; : [0,3] — val({clock}) are defined such that 7;(t)(clock) = ¢ for all t € [0,3]. 


The functions 7; are defined for closed intervals of length 3, starting at time 0. They 
describe the evolution of the variable clock, which is 0 at the start of each 7; and increases 
with rate 1 for 3 time units. The discrete send events occur periodically, every 3 time 
units and reset the clock variable to 0. 


The trace of the above execution fragment, trace(a), is the sequence 


T) send(m1) Tt, send(mz2) 75 send(mg3) 73 ... 
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where 7 : [0,3] > val(Q). 


Since the range of each function 7/ contains only the function with the empty domain, 
trace(a) does not contain any information about what happens to the value of clock as 
time progresses. Since the domains of each 7; and 7/ are identical, a and trace(a’) express 
the same information about the amount of time that elapses between discrete steps. 


Example 4.10 (Timeout process) We now present an execution of the automaton 
Timeout(u, M) from Example 4.4 where the the maximum waiting time u for a message 
is 5 and the message alphabet M is the set {m1,m2}. The following finite sequence is an 
execution of Timeout(u, M): 


Q = 7 receive(m1) 71 timeout T2 receive(mg) 73 timeout 74 


where Val = val({ suspected, clock }) and the functions 79, 71, T2, 73, 74 are defined as follows: 
7 : [0,2] > Val where 79(t)(suspected) = false and 70(t)(clock) = t for all t € [0,2]. 


7: [0,5] > Val where 7;(t)(suspected) = false and 7(t)(clock) = t for all t € [0, 5}. 


( 
tT : [0,1] > Val where 72(t)(suspected) = true and 19(t)(clock) = 5+ ¢t for all ¢ € [0, 1]. 


73 : [0,5] > Val where 73(t)(suspected) = false and 73(t)(clock) = t for all t € [0,5]. 


( 

74 : 0,00) + Val where 74(t)(suspected) = true and 74(t)(clock) = 5 +t for all t € [0, co). 
In this sample execution, the first awaited message arrives at time 2. Since no other 

message arrives within the next 5 time units, the process performs a timeout. A new 

message arrives | time unit after the timeout and the variable clock is reset to 0. Since no 

new message arrives in the next 5 time units the process performs another timeout. The 

time elapses forever after this timeout since no further message arrives. 


This example illustrates that the automaton Timeout(u,M) can perform multiple 
timeout transitions. Another point to note is that the sample execution consists of a 
finite (A, V)-sequence ending with a trajectory, as opposed to an infinite sequence as in 
Example 4.9 . The final trajectory here is a trajectory whose domain is right open and the 
execution is admissible and non-Zeno. Replacing 74 with a function on a closed interval 
would yield a non-Zeno execution that is not admissible. 


The trace of the execution a can be obtained by letting the range of 7; be the set 
consisting of the function with the empty domain, as we did in the previous example. That 
is, by hiding the values of the internal variables clock and suspected during trajectories. 


Example 4.11 (Time-bounded channel) Consider the time-bounded channel automa- 
ton from Example 4.1. It is easy to observe that time cannot pass beyond any delivery 
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deadline recorded in the message queue and that each deadline in the queue is less than 
or equal to the sum of the current time and the bound 6. This property can be stated as 
an invariant assertion as follows. 


Invariant 1: In any reachable state x of automaton TimedChannel(b, M), for all 
(m,u) in x(queue), x(now) <u < x(now) + b. 


Such an invariant can be proved by induction. Recall that reachable states are the 
final states of closed executions. Axioms T1 and T2 allow us to view any closed execution 
as a concatenation of closed execution fragments, ag ~ a, ~ ...a@%, where every aj is 
either a closed trajectory or a discrete action surrounded by point trajectories, and where 
a,;.lstate = aj+1.fstate for 0 <i <k—1. The invariant can then be proved using induction 
on the length k of the sequence of execution fragments a;. | 


Example 4.12 (Fischer’s mutual exclusion) The main safety property that needs to 
be satisfied by the automaton FischerM E from Example 4.5 is mutual exclusion. This 
safety property can be expressed as an invariant assertion: 


Invariant 1 : In any reachable state x of FischerM E(uset,leneck; 1), there do not 
exist 1 € I and j € I such that x(pc)|t] = crit and x(pc)|j] = crit. 


Even though the invariant does not refer to time, its proof depends on the timing 
constraints of the automaton. For example, the following auxiliary invariant can be used 
in proving Invariant 4.12: 


Invariant 2: In any reachable state x of FischerM E(uset,lcheck,1), if pcli] = check, 
x =i, and pclj] = set, then firstcheck|t| > lastset|j]. 


This invariant states that if the program counter of process 7 has the value check, the 
program counter of process 7 has the value set, and the variable x has the value 7, then 
7 will allow enough time for j to set x to 7, before performing the check. If this timing 
constraint were not satisfied, it would be possible for 7 to check that + = 7 before 7 sets 
xz to j. Both of the processes would then observe x to contain their own index and enter 
the critical region. | 


Lemma 4.13 If a is an execution of A then 


1. a is time-bounded if and only if trace(a) is time-bounded. 
2. a is admissible if and only if trace(a) is admissible. 
3. If a is closed then trace(a) is closed. 


4. If a is non-Zeno then trace(a) is non-Zeno. 
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Proof: It follows directly from the restriction of (A,V)-sequences. = 


Lemma 4.14 If 6 is a trace of A then 


1. If B is closed then there exists an execution a of A such that trace(a) = B and a is 
closed. 


2. If B is non-Zeno then there exists an execution a of A such that trace(a) = B and 
a is non-Zeno. 


Proof: For the first part of the theorem, let 6 = trace(a) be a closed trace of A. By 
definition of a trace, we know that (.ltime = a.ltime. We also know that a is either closed 
or has a suffix which is an infinite sequence of alternating point trajectories and actions. 
Now, let a’ be the least closed prefix of a such that a’.ltime = B.ltime. Clearly, a’ is a 
closed execution of A. 


For the second part of the theorem, observe that a non-Zeno trace is either closed or 
admissible. Let 6 = trace(a). For the case where £ is closed, we have already shown how 
we can find a closed execution. For the case where 6 = trace(a) is admissible, we know 
that a.ltime = oo. Hence, a is admissible, as needed. | 


Example 4.15 (Constructing a closed execution from a closed trace) Consider 
the Zeno hybrid sequence a = (v) ap(v)ag(v)... given in Example 3.12. Suppose that 
a is an execution of A and that a is an internal action of A. Then, trace(a) = g(v’) where 
e(v') is a trajectory over the empty set of variables. However, the fact that trace(a) is 
closed does not imply that a is closed. Thus, we see why we have a one way implication 
in item 3 of Lemma 4.13. On the other hand, we can construct a closed execution of A 
with trace g(v’) as explained in the proof of Lemma 4.14. The execution consisting of the 
point trajectory g(v’) is a closed execution of A with trace e(v’). a 


4.3. Special Kinds of Timed Automata 
This section describes several restricted forms of timed automata. In Section 4.3.1 we give 


definitions that are needed for theorems later in the paper. In Section 4.3.2 we formulate 
the timed automata of Alur and Dill [4, 6] as a special case of our timed automata. 


4.3.1 Basic constraints 
Timed Automata with Finite Internal Nondeterminism: We are sometimes in- 


terested in bounding the amount of internal nondeterminism in a timed automaton. Thus, 
we say that a timed automaton A has finite internal nondeterminism (FIN) provided that: 
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1. The set O of start states is finite, and 


2. For every state x of A and every trace fragment 8 of A from x, the set {a.lstate | 
a € frags (x) A trace(a) = (} is finite. 


Example 4.16 (Automata with FIN) The automata TimedChannel(u, M), 

PeriodicSend(u, M), PeriodicSend2(u,M) and Timeout(u, M) given in Section 4.1 all 
have FIN. The first property of the definition of FIN is satisfied since each of these au- 
tomata has a unique start state. The second property follows from the fact that in each 
automaton, for every state x and every trace fragment § from x, there is a unique execution 
fragment a@ such that trace(a) = B. = 


Example 4.17 (Automata without FIN) We now show that Fischer M E(uset, leneck; 1) 
and ClockSync(a, p); do not have FIN. For each automaton, we specify a trace, describe 
the set of all executions that have the specified trace, and argue that the second property 
in the definition of FIN fails for the chosen trace. 


Let x be the start state of FischerM E(uset, leneck, 1) and 6 = 79 try, 71 be a trace of 
the same automaton where the domains of the functions 7 and 7, are, respectively, the 
single point interval [0,0] and the interval [0, u], and the range of both functions is the set 
consisting of the function with the empty domain. For any execution a, trace(a) = £, if 
and only if a.ltime = u, try, occurs at time 0, and all the actions in a that occur after try, 
are internal actions. There are infinitely many different times that the internal actions 
may occur, and infinitely many values lastcheck and firstcheck could have, by the time 
u. Therefore, the set {a.lstate | a € frags 4(x) A trace(a) = 7 try; 71} is not finite and 
Fischer M E(uset;leheck; 1) does not have FIN. 


Now, let x be the start state of ClockSync(a, p); where x(physclock) = x(nextsend) = 
x(mazxother) = 0 and 6 = 79 send(0) 71 be a trace of ClockSync(a, p); where the domains 
of functions 7) and 7 are, respectively, the interval [0,0] and the interval [0,u], and the 
range of both functions is the set consisting of the function with the empty domain. For any 
a in which send(0) occurs at time 0 and is followed by a trajectory 7 such that 7./time = u, 
we have trace(a) = @. For any such a, a.lstate(physclock) can be any value in the interval 
[u(1—p),u(1+p)]. Therefore, the set {a.lstate | a € frags _4(x) A trace(a) = 7) send(0) 71} 
is not finite and ClockSync(a, p); does not have FIN. 


The following lemma states that if a timed automaton has FIN, then its set of traces 
is limit-closed. 


Lemma 4.18 Suppose that timed automaton A has FIN and x € Q. Suppose that 


By Bo... is a chain of trace fragments of A from x. Then the hybrid sequence lim, /; 
is a trace fragment of A from x. 
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Proof: This is analogous to the proof of Lemma 4.3 of [25]. Suppose that A is a timed 
automaton that has FIN, x is a state of A, and (; G2 ... is a chain of trace fragments of 
A from x. We define a relation after between trace fragments from x and states of A: 
after = {(B,y) | da € frags 4(x). trace(a) = 8 A a.lstate = y}. 


We construct a directed graph G whose nodes are pairs (6;,y) € after where 6; is 
an element of the given chain. In G, there is an edge from (G;,y) to (6j41, y’) exactly if 
Bis. = Bi; ~ y such that y = trace(a) for some a € frags 4(y), and a.lstate = y’. By the 
definition of property FIN, there are finitely many roots of G. By the definition of FIN 
and the construction of G, each node of G has finite outdegree. 


We claim that each node (f;,y) of G is reachable from some root (61,2) for some z. 
By definition of the node set, there exists a € frags 4(x) such that trace(a) = 6; and 
a.lstate = y. Choose a’ € frags 4(x) to be a prefix of a such that trace(a’) = 6; and let 
z= a’. Istate. By definition of the edge set of G, (6;,y) is reachable from ((},z). 


Hence, G satisfies the hypotheses of Lemma 2.3, which implies that there is an infinite 
execution fragment starting from x whose trace is lim; 6;. Lemma 2.3 is an extension of 
Konig’s lemma. i] 


There are two references to automata with FIN later in the paper. The first one is in 
Theorem 4.20, which lists some sufficient conditions for establishing an implementation 
relationship between two automata. The second reference appears in the discussion about 
the kinds of automata that satisfy the assumptions of Theorem 8.7. 


Feasible Timed Automata: A timed automaton A is feasible provided that, for every 
state x of A, there exists an admissible execution fragment of A from x. 


Feasibility is a basic requirement that any “reasonable” timed automaton should sat- 
isfy. Theorems 4.20, 6.11 and 7.2 establish some results about feasible automata. 


Timing-Independent Timed Automata: A timed automaton J is said to be timing- 
independent provided that all its state variables are discrete variables, and its set of tra- 
jectories is exactly the set of constant-valued functions over left-closed time intervals with 
left endpoint 0. 


We refer to timing-independent automata later in Example 6.5 and in our discussion 
about Corollary 8.8. 


4.3.2 Alur-Dill Automata 
The timed automaton framework of Alur and Dill [4, 6] is widely used in the formal 


modeling and verification of timed systems. An Alur-Dill timed automaton is a finite 
directed multigraph augmented with a finite set of clock variables. The nodes and edges 
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of this multigraph are called locations and switches, respectively. Locations are generally 
used to represent different modes of operation of the automaton, whereas the clocks are 
used in expressing timing constraints. Each switch has an associated clock constraint, 
which is a predicate on clock valuations that constrains when the switch may be taken. 
The semantics of such a timed automaton are defined as a state transition system in which 
each state consists of a location and a clock valuation. A transition between states occurs 
as a result of a switch or time passage. 


Alur and Dill restrict the form of clock constraints in order to make the reachability 
problem (the problem of determining whether some target location is reachable) decidable: 
a clock constraint can be either a simple constraint comparing a clock variable to a rational 
constant, or a conjunction of simple constraints. 


In this section, we define a version of the Alur-Dill timed automaton model as a 
special case of our TA model. Our formulation relaxes the restrictions on the form of 
clock constraints. 


We assume that T = R and define an Alur-Dill (AD) timed automaton as a TA 
A= (X,Q, 0, F,H,D,T) that satisfies the following conditions: 


1. X is partitioned into two sets Xq and X, where Xq is a set of discrete variables and 
X, is a set of analog variables. We call the variables in X;, clock variables. 


2. If x € O, then for every x € X., x(x) = 0. 
3. If (x,a,x’) € D, then for every x € X¢, either x'(x) = 0 or x/(x) = x(z). 
4. Each trajectory 7 € T satisfies the following conditions: 


(a) For every x € Xq, x is constant in Tr. 
(b) For every x € X_, d(x) =1. 


Thus, in an AD timed automaton, the set of internal variables consists of discrete 
variables, which together represent the locations, and analog variables, which correspond 
to the clocks. In the initial states, all the clocks have value 0. A discrete transition either 
resets a clock or leaves it unchanged. The evolution of variables during a time interval 
is described by trajectories. In an AD automaton, the discrete variables are constant 
throughout a trajectory and clocks increase at the same rate as real time. 


Example 4.19 (An AD automaton) We revisit a timed automaton example from [4]. 
We first present the timed automaton using the original graphical notation of Alur and 
Dill, as in [4], and then redefine it as an AD timed automaton, using the notational 
conventions we have been using in our other examples. 


In the following multigraph, each switch is annotated with a symbol from a specified 
alphabet of Jabels, a constraint involving clock variables, and a statement that shows which 
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clocks are reset to 0 as a result of a location switch. Note that some switches have no 
reset statements, meaning that the switch has no effect on the clock variables. 


The multigraph has four locations, s9,81,52, and s3, and two clocks, x and y. A 
location switch, represented by an arrow annotated with a label a, b, c, or d, can be 
performed only when the constraint on the same arrow is satisfied. For example, the 
automaton can change its location from s3 to s,, following the switch labeled with a, 
when the clock variable y has a value smaller than 1. The clock variable y is reset as an 
effect of this location switch. 


(Fe ea 


dia 1 


Cy = hy 0 


Figure 9 includes the expression of this multigraph as an AD automaton using our no- 
tational conventions. In the automaton AD, the discrete variable loc keeps track of the 
current location in the multigraph and the analog variables x and y represent the clocks. 
The actions of AD correspond to the labels in the original multigraph. Preconditions in 
transition definitions are used to express clock constraints associated with switches. Ef- 
fects clauses in transition definitions are used to describe location changes and resetting 
of clocks. The trajectory specification describes the effect of time passage on the location 
and the clocks. 


It is easy to check that the automaton AD, given in Figure 9, is an AD automaton. 
It satisfies the four conditions required to be classified as an AD automaton: (1) the set 
of internal variables X can be partitioned into two sets Xq and X, where Xq = {loc} 
and X, = {x,y}. (2) The clock variables x and y are initially 0. (3) The transition 
definitions either reset a clock or leave it unchanged. (4) The discrete variable loc is 
constant throughout trajectories while x and y increase at rate 1. 


4.4 Implementation Relationships 


Timed automata A; and A2 are comparable if they have the same external interface, 
that is, if fF, = Ey. If A; and A» are comparable then we say that A, implements Ao, 
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Automaton AD 


Variables X : discrete loc € {s0, 51, $2, 53} initially so 
analog z € R initially 0 
analog y € R initially 0 


States Q: val(X) 
Actions A: external a,b,c,d 


Transitions D: external a 
precondition 
(loc = so and x > 0) or (loc = 53 and y < 1) 
effect 


external b 
precondition 
loc = s, andy=1 
effect 


loc := 82 


external c 


precondition 

(loc = s; and x < 1) or (loc = s2 and x < 1) 
effect 

loc := 83 


external d 
precondition 
loc = s3 andx>1 


Trajectories 7: satisfies 


constant (loc) 
d(x) =1 
d(y) =1 


Figure 9: An AD automaton 
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denoted by A; < Ag, if the traces of A; are included among those of Ag, that is, if 
traces.4, © traces.4,.! 


Other preorders between timed automata could also be used as implementation rela- 
tionships, for example, if A; and A2 are comparable timed automata, we could consider: 


e Every closed trace of A, is a trace of Ag. 
e Every admissible trace of A is a trace of Ag. 


e Every non-Zeno trace of A, is a trace of Ag. 


Theorem 4.20 Let A; and Ag be comparable TAs. 


1. If every closed trace of A, is a trace of Az and Ag has FIN, then A, < Ao. 


2. If every admissible trace of A, is a trace of Ag and A, is feasible, then every closed 
trace of A, is a trace of Ag. 


3. If every admissible trace of A, is a trace of Ag, Ai is feasible, and Ag has FIN, then 
At < Ag. 


Proof: Part 1 follows from Lemma 4.18. 


For Part 2, consider a closed trace 6 of A,. By feasibility of A1, we may extend 6 
to an admissible trace §’ of A,. Then by assumption, 3’ is also a trace of Ag. By prefix 
closure of the set of traces, 6 is a trace of Ag. 


Part 3 follows from Parts 1 and 2. | 


4.5 Simulation Relations 


In this section, we define simulation relations between timed automata. Simulation rela- 
tions may be used to show that one TA implements another, in the sense of inclusion of sets 
of traces. We define two types of simulation relations: forward and backward simulations. 


Forward simulations are more commonly used than backward simulations because they 
are easier to think about and are general enough to cover most interesting situations that 
arise in practice. Backward simulations are sometimes necessary, in particular, when non- 
deterministic choices are resolved earlier in the specification than in the implementation. 
In proving implementation relations, we prefer to use forward simulation relations when- 
ever they exist, since backward simulations are harder to think about. 


In [25, 14, 23, 24], definitions of the set of traces of an automaton and of one automaton implementing 
another are based on closed and admissible executions only. The results we obtain in this paper using 
the newer, more inclusive definition imply corresponding results for the earlier definition. For example, 
we have the following property: If Ai < A» then the set of traces that arise from closed or admissible 
executions of A is a subset of the set of traces that arise from closed or admissible executions of A2. This 
follows from Lemmas 4.13 and 4.14. 
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4.5.1 Forward Simulations 


Let A and 6 be comparable TAs. A forward simulation from A to B is a relation R 
C Qy X Qx satisfying the following conditions, for all states x4 and xg of A and B, 
respectively: 


1. Ifx,4 € Oy then there exists a state xg € Og such that x4 Rxp. 


2. Ifx,4 R xg and a is an execution fragment of A consisting of one action surrounded 
by two point trajectories, with a.fstate = x4, then B has a closed execution fragment 
B with 8. fstate = xp, trace(GB) = trace(a), and a.lstate R (B.lstate. 


3. If x4 R xg and a is an execution fragment of A consisting of a single closed 
trajectory, with a.fstate = x4, then B has a closed execution fragment 6 with 
B.fstate = xp, trace(B) = trace(a), and a.lstate R §.Istate. 


Forward simulation relations induce a preorder between timed automata. 


Theorem 4.21 Let A,B and C be comparable TAs. If R, is a forward simulation from 
A to B and Rz is a forward simulation from B to C, then R2o R, is a forward simulation 
from A toC. 


The definition of a forward simulation from A to B yields a correspondence for open 
trajectories of A: 


Lemma 4.22 Let A and B be comparable TAs and let R be a forward simulation from A 
to B. Let x4 and xg be states of A and B, respectively, such that x4 Rx. Let a be an 
execution fragment of A from state x4 consisting of a single open trajectory. Then B has 
an execution fragment 3 with B.fstate = xp and trace(8) = trace(a). 


Proof: Let 7 be the single open trajectory in a. Using axioms T1 and T2, we construct 
an infinite sequence 79 7, ... of closed trajectories of A such that 7 = 7) ~ 7, ~---. Then, 
working recursively, we construct a sequence / 6; ... of closed execution fragments of 
B such that (6o.fstate = xg and, for each 7, 7;.lstate R §;.lstate, 6;.lstate = B:41.fstate, 
and trace(7;) = trace($;). This construction uses induction on i, using Property 3 of the 


definition of a forward simulation in the induction step. Now let 6 = 6) ~ 6, ~---. By 
Lemma 4.7, 6 is an execution fragment of B. Clearly, (6.fstate = xp. By Lemma 3.9 
applied to both @ and , trace(8) = trace(a). Thus @ has the required properties. a 


Theorem 4.23 Let A and B be comparable TAs and let R be a forward simulation from 
A to B. Let x4 and xg be states of A and B, respectively, such that x, R xp. Then 
tracefrags 4(x.4) C tracefrags p(xp). 
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Proof: Suppose that 6 is the trace of an execution fragment of A that starts from 
x4; we prove that 6 is also a trace of an execution fragment of B that starts from xz. 
Let a = 709 a) 71 G2 72... be an execution fragment of A such that a.fstate = x4 and 
6 = trace(a). We consider cases: 


1. q@ is an infinite sequence. 


Using axioms T1 and T2, we can write a as an infinite concatenation aj” a,~ Q2°-°°, 
in which the execution fragments a; with 7 even consist of a trajectory only, and the 
execution fragments a; with i odd consist of a single discrete step surrounded by 
two point trajectories. 

We define inductively a sequence fo f, ... of closed execution fragments of B, such 
that (o.fstate = xp and, for all 7, 6;.lstate = 6;41.fstate, a;.lstate R 6;.lstate, and 
trace(8;) = trace(a;). We use Property 3 of the definition of a simulation for the 
construction of the 6;’s with 7 even, and Property 2 for the construction of the 6;’s 
with 7 odd. Let 6 = Bo ~ 6, ~ Bo--:. By Lemma 4.7, § is an execution fragment 
of B. Clearly, 6.fstate = xg. By Lemma 3.9, trace(8) = trace(a). Thus § has the 
required properties. 


2. a is a finite sequence ending with a closed trajectory. 


Similar to the first case. 


3. a is a finite sequence ending with an open trajectory. 


Similar to the first case, using Lemma 4.22. a 


Corollary 4.24 Let A and B be comparable TAs and let R be a forward simulation from 
A to B. Then traces, C tracesg. 


Proof: Suppose 6 € traces.4. Then # € tracefrags 4(x.4) for some start state x4 of A. 
Property 1 of the definition of simulation implies the existence of a start state xp of B 
such that x4 R xg. Then Theorem 4.23 implies that 6 € tracefrags (xg). Since xg is a 
start state of Bb, this implies that 6 € tracesg, as needed. | 


Example 4.25 (Time-bounded channels) Consider two instances of the specification 
in Figure 2, TimedChannel(b,, M) and TimedChannel(bz2, M) where b; < bz. We define 
a forward simulation R from TimedChannel(b1, M) to TimedChannel(b2, M) below. If x 
is a state of TimedChannel(b,, M) and y is a state of TimedChannel(bz2, M), thenx Ry 
provided that the following conditions are satisfied: 


1. x(now) = y(now). 


2. |x(queue)| = ly(queue)|. 
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3. Vi. 1 <a < |x(queue)|, if x(queue)(?) = (m,u1) then y(queue)(t) = (m,ug) and 
Uy < Ug. 


We can prove that R is a forward simulation from the automaton TimedChannel(b;, M) 
to the automaton TimedChannel(b2,M) by showing that R satisfies each of the three 
properties in the definition of a forward simulation relation. In each automaton there is 
a unique initial state that maps the variable now to 0 and queue to the empty sequence. 
It is obvious that the initial states, which are identical, are related by R and so the first 
property is satisfied. 


For the rest of the proof, we let x and y be, respectively, states of TimedChannel(b,, M) 
and TimedChannel(b2, M) such that x Ry. In order to show that the second property is 
satisfied, we need to consider two cases, one for each discrete action that may be performed 
by TimedChannel(b,, M). 


If TimedChannel(b;, M) performs a send(m) action, and the state changes from x to 
x’ then we need to find an execution fragment 8 of TimedChannel(b2, M) from y ending 
in y’, such that x’ Ry’ and trace(@) is the same as the trace of (x) send(m) o(y). The 
execution fragment 8 = (y) send(m) (y’) satisfies the required conditions. This follows 
from the hypothesis that x R y and the definition of R, using the fact that the effect 
of a send(m) action of TimedChannel(b,,M), TimedChannel(b2, M) are, respectively, 
adding the entry (m, now +b,) to x(queue), and (m, now +62) to y(queue) where b, < bo. 


If TimedChannel(b;, M) performs a receive(m) action, and the state changes from 
x to x’ then we need to show that receive(m) is also enabled in y and that there is an 
execution fragment with the required properties that ends in a state y’ such that x’ Ry’. 
In order to show that receive(m) is enabled in y, we use the hypothesis that x Ry, which 
implies that the first element of y(queue) is of the form (m,u) for some u. The execution 
fragment p(y) receive(m) p(y’) of TimedChannel(b,,M) can be shown to satisfy the 
required conditions. 


For the third property, we consider a closed trajectory 7 of TimedChannel(b,, M) with 
T.fstate = x and show that there exists a closed execution fragment 6 of the automaton 
TimedChannel(b2, M) with 6.fstate = y, trace(8) = trace(r), and 7.lstate = G.lstate . It 
is easy to check that the trajectory 7’ of TimedChannel(b2,M) with r'.fstate = y and 
rT’ .ltime = T.ltime satisfies the required conditions. | 


Example 4.26 (Time-bounded channel that keeps all messages) In this example we 
define a variant of TimedChannel(b, M) from Example 4.1 called TimedChannel2(b, M). 
The main difference between TimedChannel(b,M) and TimedChannel2(b, M) is that 
the message queue in TimedChannel2(b, M) is implemented using a finite sequence of 
(message, delivery deadline) pairs queue and a pointer ptr that points to the next element 
that is to be delivered. Hence, the internal variables of TimedChannel2(b, M) consist 
of queue, now and ptr. The variable ptr initially has value 1, which indicates that it 
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Automaton SendVal(u, p); where u€ Rt,0<p<1,iel 


Variables X : discrete counter € R initially 0 
analog now € R initially 0 


States Q: val(X) 
Actions A: external send(m);,receive(m);,; where mE R,j ET, j Fi 
Transitions D: external send(m); 

precondition 


m = counter X u 

counter x u/(1 +p) < now 
effect 

counter := counter + 1 


external receive(m);,i 


Trajectories 7: satisfies 
constant (counter) 
d(now) = 1 
stops when 
now = counter x u/(1— p) 


Figure 10: Clock synchronization 


is pointing to the first element in the sequence. A send(m) action causes messages and 
deadlines to be added to the sequence as in TimedChannel(b,M). A receive(m) causes 
ptr to be incremented to make it point to the next element in the sequence instead of 
removing the first element. The automaton TimedChannel(b,M) can be viewed as an 
optimized implementation of TimedChannel2(b, M). 


We define below a forward simulation R from TimedChannel(b, M) to 
TimedChannel2(b,M). If x is a state of TimedChannel(b,M) and y is a state of 
TimedChannel2(b, M), then x Ry provided that the following conditions are satisfied: 


1. x(now) = y(now). 


2. x(queue) = y(queue)(y(ptr) ... |y(queue)]). 


Example 4.27 (Clock synchronization) In this example, we define a forward simula- 
tion from ClockSync(u, p); of Figure 8 to an automaton that sends multiples of u. The 
specification of this automaton, which is called SendVal(u, p), is given in Figure 10. We 


45 


assume that the subscripts representing process indices in both automata are drawn from 
the same finite set I. 


The variable counter keeps track of which multiple of u is to be sent next, and variable 
now contains the current time. The automaton parameter p is used in the precondition 
of the send and the stopping condition of the trajectory definition, to enforce bounds on 
the times of occurrence of send. 


We now define a forward simulation R from the automaton ClockSync(u, p); to the 
automaton SendVal(u,p) where u and p are actual parameters. If x is a state of the 
automaton ClockSync(u, p); and y is a state of SendVal(u, p), then x Ry provided that 
the following conditions are satisfied: 


1. y(now)(1 — p) < x(physclock) < y(now)(1 + p). 


2. y(counter) = x(nextsend)/u. 


4.5.2 Refinements 


Let A and & be comparable TAs. A refinement from A to B is a function F C Qy x Qz, 
satisfying the following conditions, for all states x4 and xg of A and B, respectively: 


1. Ifx, € Oy then F(x,4) € Og. 


2. If a is an execution fragment of A consisting of one action surrounded by two point 
trajectories, with a.fstate = x4, then B has a closed execution fragment 6 with 
B.fstate = F(x), trace(B) = trace(a), and G.lstate = F(a.lstate). 


3. If @ is an execution fragment of A consisting of a single closed trajectory, with 
a.fstate = x4, then B has a closed execution fragment 6 with {.fstate = F(x), 
trace((3) = trace(a), and f.lstate = F(a.lstate). 


Theorem 4.28 Let A and B be two TAs and suppose R C Qy4 X Qg. Then R is a 
refinement from A to B if and only if R is a forward simulation from A to B and R is a 
function. 


Theorem 4.29 Let A,B and C be comparable TAs. If Ry is a refinement from A to B 
and Ry is a refinement from B to C, then Roo R, is a refinement from A to C. 


An isomorphism from A to B is a refinement F from A to B such that Fo! is a 
refinement from B to A. We say that two automata A and B are isomorphic, if there 


exists an isomorphism from A to B (or, equivalently from B to A). 
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4.5.3. Backward Simulations 


Let A and 6 be comparable TAs. A backward simulation from A to B is a total relation 
RC Qa X Qx satisfying the following conditions, for all states x4 and xg of A and B, 
respectively: 


1. Ifx,4 € Oy and x, Rxg then xg € Og. 


2. Ifx, R xg and a is an execution fragment of A with a./state = x4, consisting of one 
discrete action surrounded by two point trajectories, then 6 has a closed execution 
fragment 8 with (.lstate = xp, trace(G) = trace(a), and a.fstate R B.fstate. 


3. If x4 R xg and a is an execution fragment of A with a.lstate = x4, consisting 
of one trajectory, then B has a closed execution fragment 6 with (.lstate = xp, 
trace(3) = trace(a), and a.fstate R B.fstate. 


Backward simulations induce a preorder between timed automata. 


Theorem 4.30 Let A,B and C be comparable TAs. If Ry is a backward simulation from 
A to B and Rz is a backward simulation B to C, then Ro 0 Ry is a backward simulation 
from A to C. 


Theorem 4.31 Let A and B be comparable TAs and let R be a backward simulation from 
A to B. Let x4 and xg be states of A and B, respectively, such that x4 R xp. Let B 
be the trace of a closed execution fragment of A from y, with last state x4. Then there 
exists yp such that 6 is also the trace of a closed execution fragment of B from yr with 
last state xg andy, R yz. 


Proof: Fix some R, x4, xg and £ satisfying the conditions in the statement of the 
theorem. Let a € frags 4(y.4) for some state y4 of A with trace(a) = 6. By using the 
axioms T1 and T2, we can write a@ as the concatenation of a sequence of closed execution 
fragments, @ = ag ~ Q1 ~ ...Qpn, where each q; is either a closed trajectory or an action 
surrounded by two point trajectories, and a;.lstate = aj41.fstate for 0 <i<n. 


By using the definition of a backward simulation, working backwards from ay, we can 
construct an execution fragment a’ = ay ~ a ~... a}, from a state yg of B such that (a) 
a’ state = xp, (b) for all i, 0<i <n, a;.fstate R ai.fstate and trace(a‘) = trace(a;), (c) 
for alli, O<i<n—-1, aj.Istate = a, ,.fstate. Using Lemma 4.7, we can see that a’ is an 
execution fragment of B. By Lemma 3.9, trace(a@) = trace(a’) as needed. 


Corollary 4.32 Let A and B be comparable TAs and let R be a backward simulation from 
A to B. Then every closed trace of A is a trace of B. 
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Proof: Suppose R is a backward simulation from A to B and £ is a closed trace of A. 
Then (6 = trace(a) for some closed execution a of A. Let x4 and yy be the first and 
last states of a respectively. By the totality of relation R, there exists some state yz of 
B such that y4 R yg. By Theorem 4.31, there exists xg of B such that £6 is the trace of 
a closed execution fragment of 6 from xg with last state yg and x4 R xg. Property 1 of 
the definition of a backward simulation relation implies that xg is a start state of B. It 
follows that 6 € traces, as needed. 


Theorem 4.33 Let A and B be comparable TAs and let R be an image-finite backward 
simulation from A to B. Then traces, C tracesg. 


Proof: Let 6 © traces4. If 6 is closed then Corollary 4.32 implies that @ is a trace of B. 
From now on we assume / is not closed. 


Let a € execs, with trace(a) = 6. Note that any such a is either an infinite sequence 
7) a1 71... ora finite sequence 7) a1 T, ...T, where the final trajectory T, is right open. In 
either case, using the axioms T1 and T2, we can construct an infinite sequence ajay ... 
of closed execution fragments such that a = ag ~ a, ~... where apg is a point trajectory, 
each a; is either a closed trajectory or an action surrounded by two point trajectories, and 
a,;.lstate = aj41.fstate for each 7, 0 < 2. 


We construct a directed graph G whose nodes are pairs (x,7) consisting of a state of 
B and an index such that (a;.lstate,x) €R. In G, there is an edge from (x,i) to (x’, 7) 
exactly if 7 = 7+ 1 and there is an a’ € fragsg(x) with trace(a’) = trace(a;41) such 
that a’.lstate = x’. Since R is image-finite there are finitely many roots of G. By image- 
finiteness of R and the definition of the edge set, each node has finite outdegree. By using 
the definition of a backward simulation and the edge set of G, we can show that each node 
(x, 7) is reachable from some root node (z,0) for some start state z of B. 


The directed graph G satisfies the hypotheses of Lemma 2.3, which implies that there 
is an infinite path in G starting from a root. An edge from a node (x,i) to (x’,i + 1) 
along this infinite path corresponds to a closed execution fragment y;41 of B for 1,0 <1 
such that 7;41.fstate = x, yj41.lstate = x’ and trace(yj41) = trace(aj41). By Lemma 4.7, 
y= 71 y2”..- is an execution of 6 and by Lemma 3.9, trace(y) = trace(7)~ trace (72) .... 
Since trace(¥j+41) = trace(a;41) for all 7, 0 <2, and ap is a point trajectory, by Lemma 3.9, 
we get trace(y) = trace(a) = B. 


Example 4.34 (A backward simulation relation) This example illustrates the 
difference between forward and backward simulations. We consider two automata A and 
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B and show that a forward simulation from A to B does not exist while we exhibit a 
backward simulation from A to B. 


Let A and B be two comparable automata specified below. The trajectories consist of 
a set of point trajectories. This implies that the automaton does not allow time to pass 
— everything happens at time 0. 


e V4 = {stateA} and Vg = {stateB} where: 
stateA is a discrete variable with type(stateA) = {x4,y.4,¢q,4,5,4}, and 
stateB is a discrete variable with type(stateB) = {xg, ys. yg, IB, SB}- 


e Qa = val(V,) and Qg = val(Vg). We write x4 for the valuation that maps stateA 
to x4, ya for the valuation that maps stateA to x4, etc. Similarly, we write xg for 
the valuation that maps stateB to xg, yg for the valuation that maps stateB to xp, 
etc. 


e Oy = {x4} and Og = {xz}. 
e Ey = Eg = {a,b,c} and Hy = Hg = 9. 


e D4 = {(x4,4, yA), (y4,), G4), (¥.4,¢,8.4)}, and 
Dg = {(xB, a,yB); (xg, a,y'); (ys, b, qs). (yg.¢, Sp)}-. 


© Ta = {o(v) | v € Qu}, and Tg = {p(v) | v € Qa} 
The following are representations of automata A and B as directed multigraphs. The 


nodes in the graph represent states and the edges represent discrete transitions where a 
label on an edge stands for the action involved in the transition. 


An obvious candidate for a forward simulation from A to B is the relation 
R= {(x4,xp), (ya, ys); (v4. ¥'z), (G4; GB); (S.4,88)}. However, observe that even though 
y4 and yz are related by R, the execution fragment p(y.4) c e(s,4) of A cannot be 
matched by any execution fragment of 6 starting with state yg. Similarly, even though 
y, and y}, are related by R, the execution fragment p(y4) b p(qa) of A cannot be 
matched by any execution fragment of B starting with yj,. Therefore, R is not a forward 
simulation. In fact, there is no forward simulation relation from A to B: there are finitely 
many possibilities for forward simulations from A to B and we see that none of them is 
a forward simulation by examining all the possibilities. The main reason for this is that 
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while A makes the nondeterministic choice between performing b or c after performing a, 
B makes its choice earlier at the same time it performs a. 


There is, however, a backward simulation from A to B: the relation R defined above 
is a backward simulation. | 


4.5.4 History Relations 


A relation R C Qy x Qz is a history relation from A to 6 if R is a forward simulation 
from A to B and R7! is a refinement from B to A. History relations induce a preorder 
between timed automata. 


An automaton B is obtained from an automaton A by adding history variables if there 
exists a set of variables V such that 


1. Vg =V4UV and VanvV =9, 
2. Qg C val(Vg) such that Qg | V4 C Qu, and 


3. The relation {(x,y) | y © Qg and y [ V4 = x} isa history relation from A to B. 


The method of adding history variables is typically used to make it possible to establish 
an implementation relationship using a refinement. If a refinement does not exist from a 
low-level automaton to a higher-level one, it can often be made to exist by adding history 
variables to the low-level automaton. 


Example 4.35 (Adding history variables to obtain a refinement) We cannot show 
that TimedChannel(b, M) is an implementation of TimedChannel2(b,M) from Exam- 
ple 4.26 by using a refinement. This is because we have no way of specifying what the 
subsequence before the pointer should be in TimedChannel2(b,M) when relating the 
states of the two automata. This example shows how we can add history variables to 
TimedChannel(b, M) (actually, we add just one variable) to obtain a new automaton 
that is related to TimedChannel2(b, M) by a refinement. 


Let log be a discrete variable whose static type is the same as the static type of 
queue in TimedChannel(b,M) and let the initial value of log be the empty sequence. 
We define a new automaton TimedChannelH(b,M) whose set of variables consists of 
the variables of TimedChannel(b,M) and the variable log. The rest of the definition 
of TimedChannelH(b, M) is the same as TimedChannel(b, M) except for the transition 
definition for receive(m). A receive(m) event in TimedChannelH(b, M) not only removes 
the first message from the message queue but also appends this message to the sequence 
contained in log. 


Let Vi, V2 be the set of variables and Q1, Q2 be the set of states of TimedChannel(b, M) 
and TimedChannelH (b, M) respectively. It is easy to verify that the relation {(x,y) | y € 
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Qe and y | V; = x} isa history relation from TimedChannel(b, M) to TimedChannelH (b, M). 
This means that TimedChannel H(b, M) is obtained from TimedChannel(b, M) by adding 
a history variable. 


We now define a refinement F' from TimedChannelH (b, M) to TimedChannel2(b, M) 
as follows. In our definition we assume the following conventions. Concatenation on the 
left corresponds to putting an element on the front of a queue. Recall also that we use 
juxtaposition for concatenation of sequences. If x is a state of TimedChannelH(b, M) 
and y is a state of TimedChannel2(b, M), then F(x) = y where: 


1. y(now) = x(now). 


2. y(queue) = x(log) x(queue) such that |x(log)| = y(ptr) — 1. 


Whenever an automaton B is obtained from A by adding history variables, then there 
exists a history relation from A to B by definition. Theorem 4.36 states that the converse 
also holds, if isomorphic automata are considered. 


Theorem 4.36 Let A and B be two comparable TAs such that V4 and Vg are disjoint. 
Suppose that there is a history relation from A to B. Then, there exists an automaton C 
that is isomorphic to B and is obtained from A by adding history variables. 


Proof: Let R be a history relation from A to B. Define automaton C as follows: 


$= Vive 

e Qc = {x € val(Ve) | (x[ V4, x[ Ve) € R}. 
Oc = {x € Qc | x| Vg € Oz}. 

e Ec = Eg and He = Ap. 


e xc y if and only if x [Vg Sz y [ Vz. 


e x— cy if and only if x | Vg 38 y [ Vg where 7, = 7 | Vp. 


Let F : Qc > Qg be defined such that F(x) = x | Vg for all x € Qc. The function F 
is an isomorphism from C to B: It is easy to check that F' is a refinement from C to B. 
We can also easily verify that F—! is a refinement from B to C, by definition of C and the 
fact that R7! is a function from the states of B to the states of A. 


Now, we verify that C is obtained from A by adding history variables. Let Vg be the 
variable set V required in the definition of a history variable and let R’= {(x,y) | y € 
Qc Ay|V4 =x}. We need to show that R’ is a history relation from A to C. 
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1. R’ is a forward simulation from A to C. 
By definitions of the relations F, R’ and the automaton C, R’ = F~'oR. Since F7! 
is a refinement from B to C, by Theorem 4.28, we know that it is a forward simulation 
from B to C. Since R is a forward simulation from A to B, by Theorem 4.21 we have 
R' is a forward simulation from A to C, as needed. 


2. R'~! is a refinement from C to A. 
By definitions of the relations F’, R’ and the automaton C, R'| = R-'oF. Since F 
is a refinement from C to B and R7! is a refinement from B to A, by Theorem 4.29, 
we have R’~! is a refinement from C to A, as needed. 


The following theorem shows that forward simulations are essentially the same as 
history relations combined with refinements. 


Theorem 4.37 Let A and B be two comparable TAs such that V4 and Vg are disjoint. 
There is a forward simulation from A to B if and only if there exists a TA C such that 
there is a history relation from A to C and a refinement from C to B. 


Proof: To prove the implication =>, suppose R is a forward simulation from A to B. Let 
C be an automaton defined as follows: 

e Ve=V4U Vz. 

e Qc = {x € val(Vc) | (x[Va,x[ Vs) ER}. 

e Oc = {x € Qe | x[ V4 € OK AX Vg © Op}. 

e Fe =F, and Hc = Ay. 

e x cy if and only if both of the following conditions hold: 


1. x[Vy4 Say [ Via. 
2. There exists an execution fragment ( of 6B such that 6.fstate = x | Vg, B.lstate = 
y | Vg, and trace(G) = trace(o(x) a p(y)). 


e xc y if and only if both of the following conditions hold: 


lm =71 V4 € Ty and x[Vy4 Sa y[Va. 
2. 72 =7 | Ve € Tg and x[ Vg Sp y [ Vp. 
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Let 74 and mg be the functions that restrict states of C to, respectively, V4 and Vp. 
It follows from the definitions that TA is a history relation from A to C and zp is a 
refinement from C to B. 


For the implication <, suppose that there is a history relation from A to C and that 
there is a refinement from C to B. Then, by definition of a history relation, we know that 
there is a forward simulation from A to C. We also know that there is a forward simulation 
from C to B by Theorem 4.28. It follows that there is a forward simulation from A to B, 
as needed. 


Example 4.38 (Theorem 4.37 applied to time-bounded channels) In Exam- 
ple 4.26, we demonstrated a forward simulation from the automaton TimedChannel(b, M) 
to the automaton TimedChannel2(b, M) . Theorem 4.37 implies that there exists an au- 
tomaton A such that there is a history relation from TimedChannel(b,M) to A and a 
refinement from A to TimedChannel2(b,M). The automaton TimedChannelH(b, M) 
from Example 4.35 is a witness for A. 


4.5.5 Prophecy Relations 


A relation R C Qy Xx Qg is a prophecy relation from A to B if R is a backward simulation 
from A to B and R7! is a refinement from B to A. Prophecy relations induce a preorder 
between timed automata. 


An automaton B is obtained from an automaton A by adding prophecy variables if 
there exists a set of variables V such that 


1. Vg =V4UV and Vuanv =9, 
2. Qg C val(Vg) such that Qg [| V4 C Qu, and 


3. The relation {(x,y) | y € Qg and y | V4 = x} is a prophecy relation from A to B. 


Example 4.39 (Adding prophecy variables to obtain a refinement) In this example 
we consider adding a prophecy variable to the automaton A from Example 4.34. Let C be 
an automaton defined as follows: 


e Ve = V4U {v} where v is a discrete variable with type(v) = {b,c}. 
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e Qc = {Xc, x0, Yc, Ye; 4c,8c} such that 

xc | V4 =xy and xc [{v} =b 
c[V4=xu and x, [{v} =c 
yc[Va=ya and yc [{v} =) 
c[Va=ya and yc [{v} =c 

[ [ 

[ t 


tal 


te 


ac | Va = qa and qc [{v} =) 
sc|V4 =sy and sc [{v} =c 


ae ea 
e Ec = {a,b,c}. 

e De = {(Xc, 4, yc), (XC, 4, YC), (Yc, 6, ac); (Ye, ¢, 8c) }- 
© Tc = {p(v) | v € Qc}. 


The relation R= {(xA, xc), (xy, xq); (yA, yc); (ya, Ye); (qu, dc), (s4, Sc)} is a back- 
ward simulation from A to C and R7! is a refinement. Therefore, C is obtained by adding 


a prophecy variable to A. Note that there is no refinement from A to 6 defined in Exam- 


ple 4.34. However, the relation F’ = {(xc, xg), (x¢,*s), (yc, YB) (Ye, ¥'z) (dc; a8); (Sc, SB) 
is a refinement from C to B. a 


Theorem 4.40 Let A and B be two comparable TAs such that V4 and Vg are disjoint. 
Suppose that there is a prophecy relation from A to B. Then, there exists an automaton 
C that is isomorphic to B and is obtained from A by adding prophecy variables. 


Proof: The proof is analogous to the proof of Theorem 4.36. We assume a backward 
simulation relation R instead of a forward simulation relation. We construct the automaton 
C as in Theorem 4.36 and verify that it is obtained from A by adding a prophecy variable. 
a 
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Theorem 4.41 Let A and B be two comparable TAs such that V4 and Vg are disjoint. 
There is a backward simulation from A to B if and only if there exists a TA C such that 
there is a prophecy relation from A to C and a refinement from C to B. 


Proof: The proof is analogous to the proof of Theorem 4.37. We assume a backward 
simulation relation R instead of a forward simulation. The construction of the automaton 
C and the reasoning that follows are similar. a 


Example 4.42 (Theorem 4.41 applied to Examples 4.34 and 4.39) In Exam- 
ple 4.34, we demonstrated a backward simulation from A to B. Theorem 4.41 implies that 
there exists an automaton C such that there is a prophecy relation from A to C anda 
refinement from C to B. The automaton C defined in Example 4.39 constitutes a witness 
for C. | 


5 Operations on Timed Automata 


In this section, we introduce four kinds of operations on timed automata: parallel compo- 
sition, hiding, adding lower and upper bounds for tasks, and untiming. 


5.1 Composition 
5.1.1 Definitions and Basic Results 


The composition operation for timed automata allows an automaton representing a com- 
plex system to be constructed by composing automata representing individual system 
components. Our composition operation identifies external actions with the same name 
in different component automata. When any component automaton performs a discrete 
step involving an action a, so do all component automata that have a as an external ac- 
tion. The composition operator for timed automata is simpler than it is for general hybrid 
automata since all the variables in a timed automaton are internal.” 


Formally, we say that timed automata A, and A» are compatible if H;,N Ag = HoN A, = 
and XN X2 = 9. If A; and Ag are compatible then their composition Aj,||Az2 is defined 
to be the structure A = (X,Q,0,E,H,D,T) where 

eo X=X,UX2. 

e Q= {x € val(X) |x| X; € Q;, 7 € {1,2}}. 

?The composition operation for general hybrid automata requires external variables to be identified as 


well as external actions. When any component automaton follows a particular trajectory for an external 
variable v, then so do all component automata of which v is an external variable. 
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O={xEQ|x]| X; € 9;,7 € {1, 2}}. 
e K=E£E, Uf and A = A, U Ao. 


e For each x,x’ € Q and each a € A, x $4 x’ iff for ¢ € {1,2}, either (1) a € A; and 
x [ X; 4, x’ [X;, or (2) a ¢ Aj and x [ X; =x! [ Xj. 


T C trajs(X) is given by TE T & 7 | X; € TG, i € {1,2}. 
Theorem 5.1 Jf A; and Ag are timed automata then Aj||Ag is a timed automaton. 


Lemma 5.2 Let A = Aj||A2 and let a be an execution fragment of A. Then a[(Ai,X1) 
and a[(Ag, X2) are execution fragments of A, and Ao, respectively. Furthermore, 


1. a is time-bounded iff both a[{(A1,X1) and a[(A2, X2) are time-bounded. 
2. a is admissible iff both a[(A1,X1) and a[(A2, X2) are admissible. 

3. a is closed iff both a[(A,,X1) and a[(A2, X2) are closed. 

4. a is non-Zeno iff both a[(A1,X1) and a[(Ag, X2) are non-Zeno. 

jd. 


a is an execution iff both a[(A,,X1) and a|(Ao, X2) are executions. 


Lemma 5.3 Let A = Aj||A2, and let a be an execution fragment of A. Then, for 1 = 1,2, 
trace(a) [(E;,0) = trace(a | (Aj, X;)). 


The following theorem is a fundamental theorem that relates the set of traces of a com- 
posed automaton to the sets of traces of its components. Set inclusion in one direction 
expresses the idea that a trace of a composition “projects” to yield traces of the compo- 
nents. Set inclusion in the other direction expresses the idea that traces of components 
can be “pasted” to yield a trace of the composition. 


Theorem 5.4 Let A= Aj||A2. Then traces, is exactly the set of (E,0)-sequences whose 
restrictions to A, and Ag are traces of A, and Ag, respectively. 
That is, traces, = {6 | B is an (E,0)-sequence and B {(E;,0) € traces4,,i € {1, 2}}. 


Notation: The compatibility conditions for composition require the set of internal vari- 
ables of each automaton to be disjoint from the set of internal variables of all the other 
automata in the composition. We use a general scheme to disambiguate the internal 
variables of components in order to avoid possible name clashes that can violate the com- 
patibility conditions. If A is the name of an automaton and v is an internal variable of A, 
then we refer to this variable as A.v in the composite automaton. 


Example 5.5 (Periodic sending process with timeouts) Let C be the composition 
of three automata from Examples 4.1, 4.2 and 4.4: 
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C = PeriodicSend(u,, M) || TimedChannel(b, M) || Timeout(u2, M) 
where M = {m,...,mp} and b+ u, < ug. The following sequence is a trace of C. 
Qa = 79 send(m,) 7 receive(m,) T2 send(m2) T3 receive(m2) T4 ... 
where e is the set consisting of the function with the empty domain and 
7 :[0,ui] >e 1:[0,6] se m2:[0,u1-b] >e 73:[0,b] +e 14: [0,u1 —b] oe 
The following invariant states that C’ never performs a timeout action. 


Invariant 1: In any reachable state x of C, x(Timeout.suspected) = false. 


In order to prove this invariant we can use an auxiliary invariant such as the one below, 
which establishes the fact that every message is delivered before the variable now, which 
keeps track of real-time, reaches the point at which a timeout action occurs. 


Invariant 2 : 


1. if x(TimedChannel.queue) is not empty then 
x(TimedChannel.queue)(1) < x(TimedChannel.now) + ug — x(Timeout.clock). 


2. if x(TimedChannel.queue) is empty then 
ui — x(PeriodicSend.clock) + b < ug — x(Timeout.clock). 


Example 5.6 (Periodic sending process with failures and timeouts) In this ex- 
ample, we consider a composite automaton defined exactly like the one in Example 5.5 
except that the automaton PeriodicSend(u;,M) is replaced with PeriodicSend2(u,, M). 
Let C = PeriodicSend2(u,,M) || TimedChannel(b, M) || Timeout(u2,M). The follow- 


ing sequence is a trace of C. 
T) send(m1) 71 receive(m1) T2 fail 73 timeout 74 
where e is the set consisting of the function with the empty domain and 


7 :([0,uwi]4e m1:[0,b] 4e 72:[0,b] oe 73: [0,u2-—b] >e 74: [0,00) Ge 
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According to this sample trace, the first message sent by the periodic sending process 
is received exactly b time units after it is sent. The periodic sending process fails 2b time 
units after sending its first message. The timeout process performs a timeout since no 
second message arrives within the next u2 time units after the receipt of the first message. 


The following invariant states that a tzmeout performed by C' can be used to conclude 
that the sender process has failed. 


Invariant 1: Let C = PeriodicSend2(u,,M) || TimedChannel(b, M) || Timeout(u2,M) 
and assume that b+ uy, < ug. In any reachable state x of C, if x(Timeout.suspected) = 
true then x(PeriodicSend2.f ailed) = true. 


The automaton C' is guaranteed to perform a timeout to signal the failure of a process, 
within a specified amount of time after the occurrence of a fail event. The following is a 
formal statement of this property. 


Let a@ be an execution of C and let t be the point in time at which a fail event occurs 
in a. Then a includes a timeout event that occurs in the interval ({+6,t+b+ ug]. mf 


Example 5.7 (Clock synchronization) In this example we consider the composition 
of three clock synchronization automata with six time-bounded channel automata. A 
graphical representation of the composite automaton is given below. The abbreviation 
C'S; represents the automaton ClockSync(u, p);. The abbreviation TC;,; represents the 
timed channel that communicates messages from ClockSync(u, p); toClockSync(u, p);. 
We assume that the time-bounded channel automata used in this composition are defined 
as in Example 4.1 where receive and send actions in each instance are renamed such that 
they can be shared with clock synchronization automata. Let C' be 


ClockSync(u, p)1||ClockSync(u, p)2||ClockSync(u, p)s3|| 
TimedChannel(b, M)\|| ... ||TamedChannel(b, M)g where M = R°*. 
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receive(m)2,1 send(m)2 


receive(m)1,2 


send(m)2 


receive(m)3,1 receive(m)3,2 


send(m)3 send(m)3 


A physical clock diverges from real time at the largest rate when it evolves with rate 
1+ por 1-—~p. For example, if a physical clock evolves with rate 1+ p, then at time ¢, its 
value is ¢(1 +). Hence, the largest possible difference between a physical clock and the 
real time is to. This property is stated by the invariant below. 


Invariant 1: In any reachable state x of C, at any time t € T, for any € {1,2,3}, 
|x(ClockSync(u, p);-physclock) — t| < tp. 

Two physical clocks in C' diverge at the largest rate when one evolves with rate 1+ and 
the other with 1 — p. It follows from Invariant 1 that, at any time t the largest possible 
difference between the physical clock values for two processes is 2t9. This property is 
formalized by the following invariant. 


Invariant 2 : In any reachable state x of C, at any time t € T, for any i,7 € 
{1,2,3}, |x(ClockSync(u, p);-physclock) — x(ClockSync(u, p);.physclock)| < 2tp where 
i,j € {1,2, 3}. 

The following invariant states that in any reachable state there exists a process j7 such 
that the logical clock of each other process in the system is smaller than or equal to the 
physical clock of 7. This follows from the definition of a logical clock and the fact that 
physical clocks always increase. 


Invariant 3: In any reachable state x of C, there exists 7 € {1,2,3} such that for all 
i € {1,2,3}, x(ClockSync(u, p);.logclock) < x(ClockSync(u, p);.physclock). 


The following invariant states that in any reachable state there exists a process j7 such 
that the logical clock of each other process in the system is larger than or equal to the 
physical clock of 7. This follows from the definition of a logical clock. 
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Invariant 4: In any reachable state x of C, there exists 7 € {1,2,3} such that for all 
i € {1,2,3}, x(ClockSync(u, p);.logclock) > x(ClockSync(u, p);.physclock). 


Invariants 3 and 4 together are called validity properties. They express the condition 
that all the logical clocks remain in an envelope bounded by the maximum and minimum 
physical clock values in the system. 


The following invariant formalizes the property that all the logical clocks at a given 
time lie within the envelope formed by the largest and the smallest physical clock values 
in the system. It follows from Invariants 1, 3 and 4 that any point in this envelope can 
diverge from real time t by at most tp time units. 


Invariant 5: In any reachable state x of C, at any time t € T, for anyi € {1,2,3} 
|x(ClockSync(u, p);-logclock) — t| < tp. 


Finally, we state a property about the agreement of logical clocks in C. 


Invariant 6: In any reachable state x of C, fori, 7 € {1,2,3}, |x(ClockSync(u, p);.logclock)— 
x(ClockSync(u, p);-logclock)| <u + b(1 + p). 


To see why Invariant 6 holds, fix 7 to be a process with the largest physical clock 
in x, and fix 2 to be any other process. Let vj;,v; be the logical clock values of 7 and 4 
respectively in state x. Note that v; is also the physical clock value of 7 in x. By Invariant 
3, we know that vj; < v;. To show Invariant 6, it suffices to show that v;—v; < u+b(1+ ). 


Let a be a finite execution that leads to state x. There are two cases to consider. 


1. Some message sent by 7 arrives at 7 in a. 
Consider the last such message and let v, be the value that it contains. Let vg be 
the newly adjusted logical clock value of i immediately after the message arrives. 
We know that v; > v2 > v1. 


If 7 sends a later message to 7 in a, then it sends the next later message when its 
physical clock has value v; + u. By assumption, this message does not arrive at 7. 
Therefore, the real time that elapses after sending it must be at most b. It follows 
that the physical clock increase of 7 since sending this message is at most b(1 + p) 
and so vj < v; +u+6(1+p). On the other hand, if 7 does not send a later message 
to i in a, then vj < v; + u. In either case, we have vj; < vj +u+ (1+ p). Since 
vj > v1, we have v; — vj < u+ b(1 +p), as needed for Invariant 6. 


2. No message sent by 7 arrives at 7 in a. 
Since the first send occurs at time 0 and b is the largest possible communication 
delay, the fact that 7 has not received the first message sent by 7 at time 0 implies 
that t < b. Since both clocks start at 0, we have v; < b(1+/) and v; > 0. Therefore, 
vj —¥; < ut b(1 +p), which suffices for Invariant 6. 
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5.1.2 Substitutivity Results 


Theorem 5.4, which relates the set of traces of a composed automaton to the set of traces 
of component automata, is fundamental for compositional reasoning. We now introduce 
another important class of results, substitutivity results, that are useful for decomposing 
verification of composite automata. These results are best understood by viewing one of 
the components of a composition as the system and the other as the environment with 
which the system interacts. 


The following result states that if a TA A; can be shown to implement another one 
Ag, with no assumptions about their environments, then A, can be shown to implement 
A» in a given environment B. 


Theorem 5.8 Suppose Aj, Ao and B are TAs, A; and Ag have the same external actions, 
and each of Ay and Ag is compatible with B. If Ay < Az then A,||B < Ag||B. 


Corollary 5.9 Suppose A,, Az, Bi, and By are TAs, A, and Az have the same external 
actions, B, and By have the same external actions, and each of A, and Ag is compatible 
with each of By, and Bo. If Ay < Ae and By < By then A;||B, < Ao||Bo. 


We can strengthen Corollary 5.9 slightly by the following corollary: if A; implements 
Ag in an environment Bo, then A; composed with an environment that is more restrictive 
than Bj (whose set of external behaviors is smaller than that of By), implements A2 
composed with Bo. 


Corollary 5.10 Suppose A, Ao, Bi, and By are TAs, A, and Az have the same external 
actions, B, and By have the same external actions, and each of A, and Ag is compatible 
with each of B, and By. If A,||Bo < Ae||Bo and By < By then Aj||By < Ag|| Ba. 


Proof: Let / € traces 4,\\z,. By Theorem 5.4, 6 [(E4,,0) € traces, and 6 [(Exg,,0) € 
traces,. Since B, < Bo, B|(Eg,,0) © tracesg,. Since B; and By have the same exter- 
nal actions, it follows that 6 [(E£g,,0) € tracesg,. We have 6 |(E.4,,0) € traces, and 
B[(Eg,,0) € tracesg,. By Theorem 5.4, 6 € traces 4,\\g,- Since A1||By < Ag||B2 by 
assumption, 6 € traces 4,\\g,, a8 needed. 


For other preorders, we also get substitutivity results, for example: 


Theorem 5.11 Suppose A,, Ag and B are TAs, A, and Ao have the same external 
actions, and each of A, and Ag is compatible with B. 
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1. If every closed trace of A, is a trace of Ag then every closed trace of A;||B is a trace 


of A2||B. 


2. If every admissible trace of A, is a trace of Ag then every admissible trace of A,||B 
is a trace of Ag||B. 


3. If every non-Zeno trace of A, is a trace of Ag then every non-Zeno trace of A,||B 
is a trace of Ag||B. 


Example 5.12 (A counterexample for a desirable substitutivity theorem) Sup- 
pose A, and Ag have the same external actions, 6, and By have the same external actions, 
and that each of A; and Ag is compatible with each of B; and Bo. If we view Ag and 
Bz as specifications and want to prove that A;||B, < A2||Bo, it would be useful to have 
a theorem that says if A;||By < A»||Bo and Ag|/B, < A2||Bo then A;||B, < Ag||Bo. That 
is, if A; implements A» in the context of By and 6, implements by in the context of 
Ao, we would like to conclude that A;||6, implements A ||B2. We show by means of a 
counterexample that it is impossible to prove such a theorem. 


Consider the definitions of automata A,, Ag, 6, Bz in Figures 11 and 12. All automata 
have the same set of actions, consisting of the external actions a and b. A; can perform 
an arbitrary number of bs, and can perform an a provided that the count of as and the 
count of bs are equal. A, allows the count of as to increase to one more than the count of 
bs. 


8, can perform an arbitrary number of as, and can perform a b provided that the 
count of as is one more than the count of bs. B, allows the count of bs to reach the count 
of as. 


Az has an infinite number of start states, each giving a different finite bound on the 
number of a actions it can perform. Similarly, By has an infinite number of start states, 
each giving a different finite bound on the number of b actions it can perform. 


Clearly, A;||Bz < A2||B2, and Ag||B, < Ag||Bo. On the other hand, A;||6; can per- 
form an infinite sequence of alternating as and 6s, which is not allowed allowed by the 
specification A 2||B2 This implies that A,||B, does not implement A9||Bo. = 


In Section 8, we revisit the substitutivity issue and prove Theorem 8.8, a variant of 
the desirable theorem considered in the above example, by assuming certain conditions on 
the environments A» and Bo. 


5.2 Hiding 

We define one hiding operation for timed automata, which hides external actions: if 
E C Ey, then ActHide(E,.A) is the TA B that is equal to A except that Eg = E,4-—E 
and Hy = H,AUE. 
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Automaton A, 


Variables X : discrete counta € Z initially 0 
discrete countb € Z initially 0 


States Q: val(X ) 
Actions A: external a,b 
Transitions D: external a 
precondition 
countb = counta 
effect 


counta := counta+1 


external b 
effect 
countb := countb + 1 


Trajectories T: {(x) | x € Q} 


Automaton B, 


Variables X : discrete counta € Z initially 0 
discrete countb € Z initially 0 


States Q: val(X ) 
Actions A: external a,b 
Transitions D: external b 
precondition 
counta = countb+1 
effect 


countb := countb + 1 
external a 
effect 


counta := counta + 1 


Trajectories T: {(x) | x € Q} 


Figure 11: Automata A; and Bb, 
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Automaton A» 


Variables X : discrete maxcount € Z7° initially arbitrary 
discrete counta € Z?° initially 0 


States Q: val(X ) 
Actions A: external a,b 
Transitions D: external a 
precondition 
counta < maxcount 
effect 


counta := counta+ 1 
external b 


Trajectories 7: {(x) | x € Q} 


Automaton Bp 


Variables X : discrete maxcount € Z7° initially arbitrary 
discrete countb € Z?° initially 0 


States Q: val(X) 
Actions A: external a,b 
Transitions D: external b 
countb < maxcount 
effect 


countb := countb + 1 
external a 


Trajectories T: {(x) | x € Q} 


Figure 12: Automata A» and By 
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Lemma 5.13 If E C Ey then ActHide(E,A) is a TA. 


Lemma 5.14 If A is a TA and E C Ey then tracesactide(n,A) = {6 [(Ea — £,0) | B € 
traces 4}. 


The following theorem states that the hiding operation respects the implementation 
relation. 


Theorem 5.15 Suppose A and B are TAs with A < B, and suppose E C Ey. Then 
ActHide(E,.A) < ActHide(E, B). 


5.3 Extending Timed Automata with Bounds 


In this section, we define a new class of automata, “TA with bounds” where the basic 
definition of a timed automaton is extended with the notion of a task and a pair of bounds 
(a lower and an upper bound) for each task. We then define an operation that transforms 
a given TA with bounds to another TA. This operation supports specifying a system by 
thinking in terms of tasks and bounds as in the timed automata of Merritt, Modugno, and 
Tuttle [29] and the phase transition systems of Maler, Manna and Puueli [28]. 


In defining the operation for extending timed automata with bounds, we restrict atten- 
tion to a class of automata where the enabling and disabling of actions during trajectories 
follow certain rules. Specifically, our operation is defined on automata in which each action 
is enabled or disabled throughout an entire trajectory, or becomes enabled once during a 
trajectory and remains so until the end of that trajectory. The given restrictions ensure 
that the result of applying the operation to a TA is another TA and that the resulting TA 
satisfies the restrictions. 


Let A bea TA, Ca set of actions of A, and T the set of trajectories of A. We say that 
T is well-formed with respect to C' if each 7 € T satisfies one of the following conditions: 


1. For all ¢ € dom(r), C is enabled in r(t). 
2. For all t € dom(r), C is disabled in r(t). 


3. There exists t € dom(r) such that for all t’ € [0,t), C is disabled in 7(t’) and for all 
t' € dom(r) — [0,t), C is enabled in r(t’). 


A TA with bounds, A = (B,C,l,u) consists of: 


e A timed automaton B = (X,Q,0, E,H,D,T). 


e A set C C EUA of actions called a task; we assume that 7 is well-formed with 
respect to C. 
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e A lower time bound / and an upper time bound u for C. We require that the 
following axioms are satisfied for | and u: 
B1 1 € R2° and u € R2° U {oo}. 
B2 Ii <u. 


Lower and upper bounds are used to specify how much time is allowed to pass between 
the enabling and the performance of an action. If / is the lower bound for a task C’, then 
an action in C' must remain enabled at least for / time units before being performed. If u 
is the upper bound for a task C’, then an action in C’ can remain enabled at most u time 
units without being performed: it must either be performed or become disabled within u 
time units. 


We now define an operation Extend, which transforms a TA A with bounds to another 
TA A’ that incorporates the new bounds, in addition to the timing constraints already 
present in A. Let A = (B,C,l,u) be a TA with bounds where B = (X,Q,0, EF, H,D,T). 
Then Extend(A) is the TA A’ = (X’, Q’, 0’, E’, H',D',T’) such that the components of A’ 
consist of: 


e X’= X U {now, first, last} where: 


1. now, first, and last are new variables that do not appear in X. 
2. now is an analog variable such that type(now) = R. 


3. first and last are discrete variables where type(first) = R and type(last) = 
RU {oo}. 


e ! = {x € val(X’) | x[ X € Q}. 
e ©’ consists of all the states x € Q’ that satisfy the following conditions: 


1. x[X EO. 


2. x(now) = 0. 
_ fl if C is enabled in x/X, 
pL) = { 0 otherwise. 


Kaa u if Cis enabled in x [X, 
251) ~~ ) 59 otherwise. 


e E’ = E and H' = H. We write A’ = E' UH’. 
e Ifa ce (EF UA) then (x,a,x’) € D’ exactly if all of the following conditions hold: 


1. (x [X) “4 (x! [X). 


2. x'(now) = x(now). 
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3. (a) Ifa e€ C, then x(first) < x(now). 
(b) If C is enabled both in x [| X and x’ [ X anda ¢ C, then x(first) = x'(first) 
and x(last) = x'(last). 
(c) If C is enabled in x’[ X and either C is not enabled in x/X or a € C, 
then x’ (first) = x(now) +1 and x’(last) = x(now) + u. 
(d) If C is not enabled in x’ [ X, then x’(first) = 0 and x'(last) = co. 


e 7’ is a set that consists of all 7 € trajs(X') that satisfy the following conditions: 


1. (7 LX) ET. 
2. d(now) =1. 
3. (a) If for all t € dom(r), C is enabled in 7 | X(t) then first and last are 
constant throughout 7. 
(b) If for all t¢ € dom(r), C is disabled in 7 | X(t) then first and last are 
constant throughout 7. 
(c) If for all t’ € [0,t), C is disabled in r(t’) and for all t’ € dom(r) — [0,t), C 
is enabled in 7(t’) then 
i. first and last are constant in [0,t). 
ii. 7(t)(first) = r(t)(now) +1 and r(t)(last) = 7(t)(now) + u. 
iii. first and last are constant in dom(r) — [0,t). 
(d) now < last. 


The transformation is based on the idea of augmenting the state of the original au- 
tomaton with a variable to represent current time (now) and the earliest time (first) and 
the latest time (last) a task can be performed. All these variables represent time in ab- 
solute terms. Item 3(a) in the definition of D’ expresses the new lower bound constraint 
and Item 3(d) in the definition of T’ the new upper bound constraint. 


Let A be a TA with bounds (6,C,1,u). In a start state x of Extend(A), the variables 
first and last are initialized to | and u respectively, if C' is enabled in x. If C' is not enabled 
in x, then first is set to 0 and last is set to oo. Items 3(c) in the definition of D’ and 3(c) in 
the definition of JT’ show how the variables first and last are updated. When C becomes 
newly enabled by a discrete transition or when a C action leads to a state in which C is 
enabled, first is set to now +/ and last is set to now +u. The variables first and last are 
updated similarly when C' becomes newly enabled in the course of a trajectory. 


Theorem 5.16 Suppose that A= (B,C,l,u) is a TA with bounds. Then Extend(A) is a 
TA with a set of trajectories that is well-formed with respect to C. 


Proof: The proof follows from the definitions of TA and the operation Extend. Step 
3(a) in the definition of D’ adds a new lower bound constraint, which makes enabling 
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start at some particular time. Step 3(b) in the definition of TJ’, adds a new upper bound 
constraint, which stops trajectories at a particular time and which does not add any 
enabling or disabling to trajectories. | 


In the rest of this section, we sometimes speak of variables, states and traces of a TA 
with bounds. If A = (B,C,l,u) is a TA with bounds, variables, states and traces of A 
refer to, respectively, the states and the traces of the underlying automaton B. 


Theorem 5.17 Suppose A = (B,C,l,u) is a TA with bounds. Then tracesextend(A) © 
traces 4. 


Proof: Let F : Q’ > Q be defined as follows: F(x) = x|X where X is the set of 
internal variables of A. It is easy to check that F is a refinement from Extend(A) to A. 
By Theorem 4.28 and Corollary 4.24, we conclude that tracesexteng(a) G traces 4. = 


Lemma 5.18 Suppose that A is a TA with bounds. For any reachable state x of Extend(A), 
if C is enabled in x |X in A, then x(last) < x(now) + u. 


Proof: Consider a closed execution a of Extend(A). Using the axioms T1 and T2 for 
trajectories, we can write a as a concatenation of closed execution fragments aj” a1”... Qy 
where av is a point trajectory, and each a; for 1 > 1 is either a trajectory or a discrete action 
surrounded by two point trajectories such that for all0 <1 < k-1, ay. lstate = aj41.fstate. 
We prove the invariant by induction on the length k of the sequence of execution fragments. 


For the base case, suppose that C is enabled in ao.fstate |X. Since a is an execu- 
tion, we know that ag.fstate is a start state of Extend(A). By definition of Extend(A), 
ag.fstate(last) = u. Since ag.fstate(now) = 0, ag.fstate(last) < ag.fstate(now) + u, as 
required. 


For the inductive step, we assume that the property is true for the sequence ap ~ a, ~ 
... az and show that it is true in the sequence az41 in ag~ ay ~... az ~ A¢41. There are 
two cases to consider depending on whether a,+1 is a discrete action surrounded by two 
point trajectories or a trajectory. 


1. ax41 is an action a surrounded by two point trajectories. Suppose that C is enabled 
in Qp41-lstate. There are two subcases to consider: 


(a) C is enabled in a,.lstate | X anda ¢ C. 
Then, a¢41.fstate(last) = ag.fstate (last) and ax41.fstate(now) = ag.fstate(now). 
By inductive hypothesis, a,.lstate(last) < agz.lstate(now) + u. Therefore, 
Qp41-lstate (last) < ap41.lstate(now) + u, as needed. 
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(b) C is disabled in a,.lstate | X or a € C. 
Then, by definition of Extend(A), ag+1.lstate(last) = ay41.Istate(now) + u, 
which suffices. 


2. Qp41 is a trajectory. 
Suppose that C is enabled in az41.lstate | X in A. There are two subcases to con- 
sider: 


(a) C is enabled in ag41.fstate | X in A. 
By inductive hypothesis az41.fstate(last) < ap41.fstate(now) +u. By the well- 
formedness assumption, we know that C’ must be enabled throughout az4; and 
by definition of Extend(A) last is constant throughout a,4,. Since the value of 
now increases, it is easy to see that az41.lstate(last) < ap4,.lstate(now) + u. 


C is disabled in ax41.fstate | X in A. 

Then, since it is enabled in az41.lstate | X by the well-formedness assumption, 
it becomes enabled at some point ¢ in the domain of ag4; and remains en- 
abled thereafter. Therefore, ag41(t)(last) = ag41(t)(now) + u, by definition 
of Extend(A). Since last remains constant after it is set and the value of now 
increases, az 41.lstate (last) < ag41.lstate(now) + u holds. 


S 


The theorem below shows that the executions of an automaton obtained by applying 
the transformation Extend to a TA with bounds respect the time bounds specified by the 
lower bound / and the upper bound uw. 


Theorem 5.19 Let A= (B,C,l,u) be a TA with bounds. Then, 


1. There does not exist a closed execution fragment a of Extend(A) from a reachable 
state, where a.ltime > u, C is enabled in A in all the states of a[(A,X) and no 
action in C' occurs in @. 


2. There does not exist a closed execution fragment a of Extend(A) from a reachable 
state, where a.ltime <1, such that C is not enabled in A in the first state of a[(A,X) 
and an action in C' occurs in a. 


Proof: 


1. Suppose, for the sake of contradiction, that there exists a closed execution fragment 
Q = 70 A171 AQ... Tp of Extend(A) from a reachable state, where a.ltime > u, C is 
enabled in A in all the states of a [(A, X) and none of the a; in ais in C. By definition 
of trajectories for Extend(A) it must be the case that a.lstate(now) < a.lstate (last). 
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Since C' is enabled in A in all states in a, by Lemma 5.18 we have a.fstate (last) < 
a.fstate(now) +u. By definition of Extend(A), last remains constant throughout a; 
therefore, a.lstate (last) = a.fstate(last). Since a.fstate(last) < a.fstate(now) + u, 
it follows that a.lstate(last) < a.fstate(now) + u. By definition of a, we have 
a.lstate(now) = a.fstate(now) + a.ltime. It follows that a.fstate(now) + a.ltime < 
a.fstate(now) + u. This implies a.ltime < u. But this gives us the needed contra- 
diction since a.ltime > u. 


. We assume that a is a closed execution fragment of Extend(A) from a reachable state 
where a.ltime < 1, such that C is not enabled in A in the first state of a and an 
action in C' occurs in a. Let (x,a,x’) be the first discrete transition of Extend(.A) in 
a such that a € C. We show that the condition x(first) < x(now), which has to hold 
for the discrete transition to occur, cannot be true, hence arrive at a contradiction. 


By Theorem 5.16, the set of trajectories of Extend(A) is well-formed with respect 
to C. Therefore, C can become enabled by either a discrete transition or during a 
trajectory, and remains enabled until the occurrence of (x, a,x’). 


(a) C becomes enabled by a discrete transition and remains enabled in A until the 
occurrence of (x, a,x’). 
Let (y,b, y’) be the discrete transition of A that enables C. By item 3(c) in 
the definition of D’ we know that first is set to y(now) +1 when C' becomes 
enabled. By item 3(b) in the definition of D’ and 3(a) in the definition of T’, we 
know that it remains constant so that x(first) = y(now) +1. Since (x, a,x’) is 
a discrete transition of Extend(A), it must be the case that x(first) < x(now). 
Since x(now) < y(now) + a.ltime and x(first) = y(now) + 1 it follows that 
y(now) +1 < y(now) + a.ltime. But we know by assumption that a.ltime < | 
which gives the needed contradiction. 


(b) C becomes enabled at some point in the course of a trajectory 7 and remains 
enabled in A until the occurrence of (x, a,x’). 
Let y be a state in the range of tr where C' becomes enabled. By item 3(c) in 
the definition of 7’ we know that first is set to y(now) + 1 when C’ becomes 
enabled and it remains constant in 7 so that x(first) = y(now) +1. By item 
3(b) in the definition of D’ and 3(a) in the definition of 7’, we know that 
first remains constant until the occurence of (x,a,x’). Since (x,a,x’) is a 
discrete transition of Extend(A), it must be the case that x(first) < x(now). 
Since x(now) < y(now) + a.ltime and x(first) = y(now) +1 it follows that 
y(now) +1 < y(now) + a.ltime. But we know by assumption that a.ltime < | 
which gives the needed contradiction. 
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Example 5.20 (Fischer’s mutual exclusion algorithm specified using tasks and 
bounds) 


In Example 4.5 we presented the specification of Fischer’s mutual exclusion algorithm 
as a TA. This example illustrates an alternative way of specifying the same algorithm by 
using a TA with bounds. 


Recall that, formally, we define a TA with bounds as a TA augmented with a single 
task along with lower and upper bounds for that task. The automaton in Figure 13 is, 
however, augmented with a set of tasks and bounds. This is for notational convenience 
and the automaton in Figure 13 should be viewed as the automaton representing the 
cumulative result of adding in successive steps two tasks for each 1 € I. We assume that 
Extend is applied once for each task. That is, we start with the timing-independent version 
of Fischer M E, apply Extend to the automaton augmented with the task {set;} to add the 
lower bound 0 and the upper bound wgez, then apply Extend to the resulting automaton 
augmented with {check;} to add the lower bound [,pecz and the upper bound oo. Such 
two successive applications are allowed since the result of the first application of Extend 
satisfies the the well-formedness conditions for the set of trajectories. 


The result of these successive applications yields an automaton similar to the one in 
Example 4.5. The only difference is that the mechanical application of the transformation 
would reset the value of firstcheck|i] to 0 as an effect of check; while we do not reset 
firstcheck/i] explicitly in 4.5, when it becomes disabled. This is because we make use 
of the facts that the value of firstcheck[i] is used only in determining whether check; is 
enabled and that check; becomes enabled only in the poststate of set; which also sets the 
value of firstcheck|i]. Note that this discrepency does not give rise to any difference in 
the behaviors of the two automata. a 


5.4 Untiming 


We define an “untiming” operation that transforms a timed automaton to an untimed 
automaton of the kind defined in Section 2.5. The idea behind this operation is to reduce 
the state space of a timed automaton by identifying those states that are equivalent in 
the sense that they give rise to similar discrete behavior. The executions of the untimed 
automaton obtained as a result of applying the untiming operation to a TA, A, preserve 
the order of discrete actions of A but forget the possible time passage between them. This 
operation has its roots in a similar operation defined in [6, 4] but we do not deal with the 
finiteness of the resulting state space and ease of reachability analysis, as those papers do. 
Instead, we aim to understand the main ideas of the untiming operation of [6, 4] using our 
more general framework. 


The untiming operation uses the notion of congruence defined below to determine 
equivalence classes of states. 
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Type PcValue = enumeration rem, test, set, check, leavetry, crit, leaveexit 


Automaton FischerM E2(uset,leneck, 1) Where tser € R2°, leneck € R7°, Uset < leneck 


Variables X: discrete pc, an array of elements of PcValue indexed by I 
initially Vi € I. peli] = rem 
discrete x € IU {1} initially c =L 


States Q: val(X) 


Actions A: external try;, crit;, exit;, rem; 


internal test;, set;, check;, reset; where i € I 
Transitions D : 


external try; external crit; 


precondition precondition 
peli] = rem pelt] = leavetry 
effect effect 
pelt] := test pelt] = crit 


internal test; 


external exit; 
precondition 


precondition 
pelt] = test pelt] = crit 
effect effect 
if c =1 then pelt] := reset 
pci] := set 


internal set; internal reset; 


precondition precondition 
peli] = set peli] = reset 
effect effect 
Li=1 eel 
peli] := check pcli] := leaveexit 


internal check; external rem; 


precondition precondition 
pci] = check pci] = leaveexit 
effect effect 
if x =i then peli] := rem 
pc[i] := leavetry 
else 
peli] := test 
Trajectories 7: {7 € trajs(X) | pcandzconstantinT} 
Tasks C: Vi € I. {set;}, {check; } 
Bounds B: 


Vi € I. lower({seti}) = 0, upper ({seti}) = uset 
Vi € I. lower ({check;}) = leneck, , upper ({ check; }) = 00 


Figure 13: FischerME with bounds 
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5.4.1 State Congruence 


Let A= (X, Q, 0, E, H,D,T) bea TA. An equivalence relation R C Q x Q is a congruence 
for A if, for all actions a € (EF U H) and trajectories t € T the following hold: 


1. Ifx Ry andx € Otheny € O. 
2. Ifx Ry and x “+ x’ then there exists a state y’ such that y > y’ and x’ Ry’. 
3. If x Ry, and x -> x’ then there exists a state y’ and a trajectory 7’ such that 


y oy’ andx’ Ry’. 


The relation R partitions Q into equivalence classes. In the rest of this section, we use [x] 
to denote the equivalence class of x € Q, that is [x] = {y |x Ry}. 


5.4.2 Definition of the Untiming Operation 


Given a TA A = (X,Q,0, FE, H,D,T) and a congruence R C Q x Q for A, the untiming 
operation yields an untimed automaton Untime(A, R) = (Q’, 0’, E’, H’,D’) where 

© Q! = {hx | xe Qh. 

e © = {[x] | x € O}. 

eH=E. 

e H' =H U{nx} where z is a special action representing time passage. 

e D' CQ! x A’ x Q! where A! = E’U H! such that 


1. s4.s' CD’ if and only if there exists (x, a,x’) € D where [x] = s and [x’] = s'. 
2. s “+ s' € D’ if and only if there exists r € T where T is closed, [r.fstate] = s 
and [7.lstate] = s’. 


Example 5.21 (Untime(AD, R)) In this example we define a congruence for the automa- 
ton AD from Example 4.19 and give the result of applying the untiming operation to 
AD by using this congruence. Let I be the set of intervals {(0,1),(1,00)}. Let R be an 
equivalence relation defined as follows. x Ry if the following conditions hold: 


1. x [Xq aon A [| Xq. 


2. For every x € X¢, either x(x), y(x) € J for some J € I or x(x) = y(x) =7 for some 
integer 7. 
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Figure 14: Untime(AD, R) 


3. For every z,w € X¢, x(z) > x(w) if and only if y(z) > y(w). 


R is a congruence for the automaton AD from Example 4.19. Figure 14 contains a 
graphical representation of Untime(AD,R). Each node in the graph represents a state 
of Untime(AD, R), that is, an equivalence class of states of AD with respect to R. The 
annotations within the nodes are used to define the equivalence class. For example, a node 
that is annotated with s9 and x = y = 0 denotes the set of states {x € Qap | x(loc) = 
$0, x(x) = 0, and x(y) = 0}. 


5.4.3. Basic Results 


In this section we present some results that establish a correspondence between the exe- 
cutions of a TA and those of the corresponding untimed automaton. 


The lemma below states that the trace of discrete events in an execution fragment 
of a timed automaton is also exhibited by some execution fragment of the corresponding 
untimed automaton. 
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Lemma 5.22 Suppose A is a TA and R is a congruence for A. If a is an execution 
fragment of A, then Untime(A,R) has an execution fragment a’ such that a’.fstate = 
[a.fstate] and trace(a’) = actions (trace(a)). 


Proof: We consider the following cases: 


1. q@ is an infinite sequence. 
Using axioms T1 and T2 we can write a as an infinite concatenation aj ~ ay ~--:, 
in which each execution fragment a; is either a trajectory with a;.ltime > 0 or a 
single discrete action surrounded by two point trajectories, and for every i > 0, 
a,;.lstate = aj41.fstate. 


We define a sequence aj a, --- of execution fragments of Untime(A, R) such that 


(a) If a; is a trajectory, then a/ = (s,7,s') where s = [a;.fstate] and s' = [a;.lstate] 
(recall that we use [x] to denote the equivalence class of x with respect to R). 


(b) If a; is a single discrete action a surrounded by two point trajectories, then 
a. = (s,a,s’) where s = [a;.fstate], s’ = [a;.Istate]. 


It is immediate from the definition of Untime(A, R) in Section 5.4.2 that each af, 
constructed above is an execution fragment of Untime(A,R) and that a’.fstate = 
[a.fstate] . By definitions of concatenation and execution fragments for untimed 
automata from Section 2.5 we have that aj ~ a, ~ --: is an execution fragment 
of Untime(.A, R). By definitions of the operators trace for untimed automata from 
Section 2.5, and for timed automata from Section 4, and discrete from Section 3 we 


have trace(a’) = actions(trace(a)), as needed. 


2. ais a finite sequence ending with a closed trajectory. 
Similar to the first case. 


3. a is a finite sequence ending with an open trajectory. 
The sequence a’ can be constructed similarly to the first case except for the last 
trajectory T, in a. Taking a}, to be the empty sequence gives the required result. 


Corollary 5.23 Suppose A is a TA and R is a congruence for A. If a is an execution of 
A, then Untime(.A, R) has an execution a’ such that trace(a’) = actions(trace(a)). 


Proof: Let a be an execution of A. We know by Lemma 5.22 that Untime(A, R) has an 
execution a’ such that trace(a’) = actions(trace(a)) and a’.fstate = [a.fstate]. Since a is 
an execution of A, a.fstate € Q,4. Then by the definition in Section 5.4.2, a'.fstate € O! 
and therefore a’ is an execution of Untime(A, R), as needed. | 
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The following lemma states that, for every execution fragment a of Untime(A, R) and 
for every state x that is in the equivalence class respresented by the first state of a, it is 
possible to derive an execution fragment of A from x that exhibits the same discrete trace 
as Untime(A, R). 


Lemma 5.24 Suppose A is a TA and R is a congruence for A. If a is an execution 
fragment of Untime(A, R) and x is a state of A such that [x] = a.fstate, then A has an 
execution fragment a’ from x such that trace(a) = actions(trace(a’)). 


Proof: 


1. q@ is an infinite sequence of the form so a) $1a2 2... 
The sequence a can be written as the concatenation ag ~ a, ~ a2... of execu- 
tion fragments (s;,4;41,5;11) for i > 0. We define a’ inductively as the con- 
catenation aj ~ a, ~ as... where [ag.fstate] = a.fstate and for every i > 0, 
di, .Istate = a/,,,.fstate and [aj,.lstate] = s; as follows: 


(a) ab = (x). By axiom TO, aj is an execution fragment of A. Since aj.fstate = x 


NS 


by construction of ag and [x] = a.fstate by definition of x, we have [ap .fstate] = 
a.fstate. Since ap.lstate = x by construction of ag and [x] = a.fstate by 
definition of x and a.fstate = so by the assumed structure of a@ we have 
[ap.lstate] = so. 

For i > 1, if aj_1 is (s;-1,a;,5;) where a; € (A’ \ {}), then define aj to 
be g(al_,.Istate) a; o(y) where (a_,.Istate,a;,y) € D and [ly] = s;. We 
need to show that A has such an execution fragment aj. For i > 1, con- 
sider aj-1 = (8j-1,4;,5;). By definition of Untime(A, R) in Section 5.4.2, 
there must be some (z,a;,z’) € D such that [z] = s;-1 and [z'] = s;. By 
inductive hypothesis [a/_,.lstate] = s;-1. Since [ai_,.lstate] = s;1 = [2] 
we know by the definition of state congruence in Section 5.4.1 that there 

/ 


exists y such that (a/_,.Istate,aj,y) € D and [y] = [z’] = s;. Therefore, 


I 


a. = g(ai_,.lstate) a; (y) is an execution fragment of A where ai.fstate = 


a_,.lstate and [a’,.lstate] = s;. 


For i > 1, if aj_-1 is (s;-1, a;, 3;) where a; is the m action, then define a/ to be 
t where 7 € T, T.fstate = a',_,.lstate and [r.lstate] = s;. We need to show that 
A has such an execution fragment a‘. For i > 1, consider aj_1 = (s;-1, Gj, 5;). 
By definition of Untime(A, R) in Section 5.4.2, there must be some trajectory 
r' such that 7’ is closed, [7’.fstate] = s;-1 and [r’.Istate] = s;. By inductive 
hypothesis [a/_,.lstate] = s;-1. Since [a/_,.lstate] = s;_1 = [r'.fstate] we know 
by the definition of state congruence in Section 5.4.1 that there exists rT where 
t.fstate = al,_,.lstate and [r.lstate] = s; = [r’.Istate]. Therefore, a = 7 is an 
execution fragment of A where a/,.fstate = a\_,.lstate and [a’,.lstate] = s;. 
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By construction of a’, we have a.fstate = [a’.fstate]. Since a.Istate = aj, ,.fstate 
for all i > 0, we know by Lemma 4.7 that a’ = ap ~ a, ~ ay... is an execution 
fragment of A. It is easy to check that trace(a) = actions(trace(a’)). 


2. ais a finite sequence of the form so aj 81 a2 82 ... Sn. 
The proof is similar to the previous case. 


Corollary 5.25 Suppose A is a TA and R is a congruence for A. If a is an execution of 
Untime(A, R), and x is a state of A such that [x] = a.fstate, then A has an execution al 
from x such that trace(a) = actions(trace(a’)). 


Proof: Let a be an execution of Untime(A,R) and x be a state of A such that [x] = 
a.fstate. By Lemma 5.24, we know that A has an execution fragment a’ from x such that 
trace(a) = actions(trace(a’)). Since a is an execution, a.fstate € O’. By the definition of 
Untime(A, R) in Section 5.4.2, we know that x € OQ, and therefore a’ is an execution of A, 
as needed. 


5.4.4 An Equivalence Relation for Alur-Dill Automata 


In [6, 4] Alur and Dill present a region construction technique that allows an infinite state 
space to be reduced to a finite state space by using an equivalence relation on states. 
Our untiming operation is based on a similar idea. It aims to reduce the state space by 
identifying those states that exhibit “equivalent” behavior. Our operation, however, does 
not use a fixed equivalence relation. Rather, it is parameterized by equivalence relations 
that meet our congruence criteria. 


In this section we formulate the equivalence relation of Alur and Dill presented in [6] 
in our framework and show that it is a congruence for an AD automaton under a certain 
set of assumptions. Recall that our definition of AD automata (see Section 4.3.2) does 
not impose any restrictions on the form of clock constraints. Adopting such a general 
definition and seeking a minimal set of assumptions required for the proof allows us to 
identify which restrictions were incorporated into the model of Alur and Dill mainly to 
ensure that the resulting region automata have a finite state space. 


Let A= (X,Q, 0, FE, H,D,T) be an AD timed automaton where X is partitioned into 
two sets: Xqg of discrete variables and X, of clock variables. Let J be the set of intervals 
and P be the set of points in the time domain T = R defined as follows: 


LS {(é1, ti + 1) | tL € N}. 
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P=N. 


Now, we define an equivalence relation ~ over Q. In our definition we use the notation 
fr(v) for the fractional part of a value v. Two states x,y € Q are related, written x ~ y, 
if the following conditions hold: 


Lox] Xe =o [Xa 


2. For every x € X¢, either {x(z), y(x)} C J for some J € I or x(x) = y(x) = 2 for 
some 2 € P. 


3. For every z,w € X¢, fr(x(z)) > fr(x(w)) if and only if fr(y(z)) > fr(y(w)). 


The first property in the definition of ~ requires that a discrete variable have the 
same value in two related states. The second property involves clock variables. If a clock 
variable has a value that falls between a pair of consecutive integers, then its value must 
be between the same integers in a related state. Likewise, if a clock variable has an integer 
value, it must have the same value in a related state. The third property states that the 
ordering of the fractional parts of different clock variables must be the same across related 
states. 


The following theorem states that the relation ~ defined above is a congruence for an 
AD automaton A if the same discrete actions canbe performed from two equivalent states 
with the same effect. 


Theorem 5.26 Assume for an AD automaton A that whenever x ~ y for two states 
x,y € Q, andx x! €D, then there exists y 4 y' € D such that 


e x’[Xg=y' | Xa. 


e For every x € X¢, x'(x) = 0 if and only if y'(x) = 0. 
Then relation ~ is a congruence for A. 


Proof: We establish the three properties of congruence defined in Section 5.4.1 for the 
relation ~. 


1. Suppose x ~ y and x € O. By definition of AD automata from Section 4.3.2, if 
x € O then for all x € X,, x(x) = 0. Since x ~ y, for all x € C, we have y(x) = 0, 
and x | Xg=y | Xq. It follows that x = y, and therefore y € © as needed. 


2. Suppose x ~ y and x -} x’ where a is a discrete action. By assumption there exists 
y’ such that y 4 y’. It remains to show that x’ ~ y’. We do this by establishing 
the three properties in the definition of ~. 


78 


(a) The first property is immediate from the assumptions. 


(b) For the second property, we are required to show that for all x € X;, either 
x’(x) and y’(z) are in the same interval or have the same integer value. We fix 
x and consider two cases: 

i. x'(x) =0. 
By assumption x’/() = 0 if and only if y’(x) = 0. Clearly, x’(x) and y’(z) 
have the same integer value 0. 

ek a) 0, 
By definition of AD automata from Section 4.3.2, x/(#) = x(x). Since 
x'(x) = 0 if and only if y’(xz) = 0 by assumption, we have y'(x) 4 0, 
and by definition of AD automata we have y’(x) = y(x). Since x ~ y by 
hypothesis, y(«) and x(x) are in the same interval. Since y’(x) = y(x) and 
x(x) = x(z’), x'(x) and y’(x) are in the same interval, as needed. 


(c) For the third property, we are required to show that for any z,w € C, the 
ordering between the fractional parts of z and w in x’ is preserved in y’. For a 
fixed z and a fixed w consider the following cases: 


i. Neither z nor w is reset by action a. 
Then, x/(z) = x(z) and x’(w) = x(w). Since x ~ y, we know that 
fr(x(z)) > fr(x(w)) if and only if fr(y(z)) > fr(y(w)). It follows that 
fr(x'(z)) > fr(x’(w)) if and only if fr(y'(z)) > fr(y'(w)), as needed. 

ui. Both z and w are reset by action a. 
By assumption we have x’(z) = 0 if and only if y’(z) = 0 and x’(w) = 0 
if and only if y’(w) = 0. Since fr(x’(z)) = fr(x’(w)) = fr(y'(z)) = 
fr(y’(w)) = 0, it is obvious that the ordering between the fractional parts 
of the clocks in x’ is preserved in y’. 

iii. One of the clocks is reset by action a. 
Without loss of generality, let the clock that is reset be z. That is, x’(z) = 0 
and x/(w) = x(w). Then, either fr(x'(w)) = 0 or fr(x'(w)) 4 0. First, 
suppose fr(x'(w)) = 0. Then, fr(x’(z)) = fr(x’(w)). Since fr(x’(w)) = 0, 
x’(w) = v for an integer v. By case (b), we have y’(w) = v and hence 
fr(y'(w)) = 0. It follows that fr(y'(x)) = fr(y'(w)). Now, suppose that 
fr(x'(w)) #0. Then fr(x'(z)) < fr(x'(w)). By assumption which says 
for all x € X,, x’(x) = 0 if and only if y’(a) = 0, we have y’(z) = 0. Since 
fr(x'(w)) 4 0, by the same assumption we get y’(w) 4 0. It follows that 
fr(y'(z)) < fr(y’(w)). Hence, we have shown that the ordering between 
the fractional parts of the clocks in x’ is preserved in y’. 


3. Suppose x ~ y and x -> x’ where 7 is a trajectory. We need to show that we can 
find trajectory 7’ such that x’ ~ y’ where y’(x) = y(x) +7’ .ltime for all x € X,. We 
do this by establishing the three properties in the definition of ~. 


(a) The first property is immediate from the assumption. 
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(b) For the second property, we are required to show that for all x € X;, either 
x'(#) and y’(a) are in the same interval or have the same integer value. We 
consider the following cases: 


i. 


lil. 


Zero time passage (7./time = 0). 
Clearly, 7’ with 7’./time = 0 results in y’ = y. Since x ~ y by hypothesis, 
we have x’ ~ y’, as needed. 


. T.ltime > 0 and 7 does not make any clock reach an integer boundary. 


A. Some clocks remain in the same interval. 
Let Cross be the set of clocks that crossed to a new interval and let 
NotCross be the set of clocks that did not cross to a new interval. We 
need to make sure that 7’ that we choose makes all elements of Cross 
cross to a new interval in y’ and all elements of NotCross remain in the 
same interval, while preserving the ordering of fractional parts of clock 
values across two equivalent states. Consider the set {t — y(z) | z € 
Cross,x'(z) € (t,t+1)} and define m to the maximum element of this 
set if it is non-empty and to be 0 if it is empty. Now, consider the set 
{(é+1)—y(w) | w € NotCross,x(w),x’(w) € (¢,¢ + 1)} and define n 
to be minimum element of this set. It is easy to check that for any 7’ 
such that m < r'.ltime <n, property 2 holds for x’ and y’. 
B. All clocks cross to a new interval. 
Let m,n € T be respectively, the maximum and minimum elements 
of the set {t — y(x) | x’(x) € (t,f+1)}. Taking 7’ such that m < 
tT’ .ltime <n+1 gives the required result. 
T.ltime > 0 and 7 makes some clocks reach an integer boundary. 
Let Reach be the set of clocks that reached an integer boundary. Observe 
that for any two elements z and w of Reach it must be the case that 
fr(x(z)) = fr(x(w)). Now, take some x € Reach and let m = (t — y(z)) 
where ¢ = x’(xz). Any 7’ such that 7’.ltime = m gives us the required 
result. It is clear that such a 7’ makes all the clocks in Reach reach an 
integer boundary. For any z € Reach and any clock w that has not reached 
an integer boundary in x’, it must be the case that fr(x(z)) > fr(x(w)). 
By hypothesis and the third property of ~, we also know that fr(y(z)) > 
fr(y(w)). It follows that w does not reach an integer boundary in y’, 
as required. In the case where w is a clock that has crossed an integer 
boundary in x’, we observe that fr(x(z)) < fr(x(w)) holds and conclude 
that the 7’ we have chosen makes w cross the same integer boundary in y’. 


(c) For the third property, we need to show that the 7’ we defined for each case 
above, ensures that the ordering between the fractional parts of the clocks in 
x’ is preserved in y’. 


By property 2, which we have established for x’ and y’, we know that, for any 
x € X, if r leads to x'(x) € J then 7’ has the same effect on y such that 
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y (x) € J. Similarly, if 7 makes a clock cross reach an integer boundary in the 
evolution from x to x’, that is x'(x) =t then 7’ yields y’(xz) =t. Sincex ~y, 
by property 3, we also know that the ordering between the fractional parts of 
clocks in x and y are the same. We know that in 7’ all the clocks increase by 
the same amount. It follows that the ordering between the fractional parts of 
clocks is the same in x’ and y’ are the same. 


6 Properties for Timed Automata 


In this section, we define what we mean by a property for a timed automaton, describe 
some types of properties that are typically specified and proved for systems, and state 
some results about composition of automata with properties. 


6.1 Definitions and Basic Results 


A property P for a timed automaton A is defined to be any subset of the execution 
fragments of A. We write execs 4 p) for the set of executions of A in P, traces 4p) for the 
set of traces of executions of A in P, and tracefrags(4,p) for the set of traces of execution 
fragments of A in P. 


6.1.1 Safety and Liveness Properties 


[[Nancy: We should ask Frits and Roberto to consider/approve the changed 
discussion of safety and liveness properties, and other significant changes we 
are making near the end of the paper.]| 


A property P for a TA A is said to be a safety property if it is closed under prefix and 
limits of execution fragments. In other words, if an execution fragment satisfies a safety 
property P, then so do all its prefixes, and if all the executions in a “chain” of successive 
extensions satisfy P, then so does the “limit” of the chain. Safety properties represent 
requirements that should be maintained by the system throughout its execution. 


We say that an automaton A satisfies a safety property S if every execution of A is in 
S. Typically, the satisfaction of a safety property by an automaton is proved by induction. 
One shows that the property holds in any trivial execution fragment consisting of a point 
trajectory and that it is preserved by discrete steps and trajectories of the automaton. 


A property P for A is defined to be a liveness property provided that for any closed 
execution fragment a of A, there exists an execution fragment § such that a~ 6 € P. In 
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other words, no matter how A behaves for a finite period of time, it is still possible for it 
to continue in some way and satisfy P. 


We say that an automaton A satisfies a liveness property L if every “maximal” execu- 
tion of A (an execution a@ such that there exists no execution of which a is a proper prefix) 
is in L. Typically, the proof of the satisfaction of a liveness property by an automaton 
involves the use of proof rules of a temporal logic, or progress functions from states to a 
well-founded set that measure the distance from the desired goal. 


These definitions of safety and liveness are analogous to those considered for untimed 
systems in [3, 8, 10], and have also been adopted in the few models for timed systems that 
have addressed the classification of properties as safety and liveness properties [36, 1]. In 
order to support the definitions for our model we establish the following results, stated 
formally in Theorems 6.1 and 6.4: (1) The classes of safety and liveness properties are 
disjoint, (2) Every property can be expressed as the intersection of a safety and a liveness 
property. 


The following theorem states that no property of a timed automaton can be both a 
safety and a liveness property, except for the special case where the property consists of 
all the execution fragments of the automaton. 


Theorem 6.1 Let A be a TA. If P is both a safety property and a liveness property for 
A, then P = frags ,. 


Proof: Suppose that P is both a safety and a liveness property for A and let a@ be any 
execution fragment of A. We show a € P. Now consider the following cases: 


1. a is a closed execution fragment. 
Then, since P is a liveness property, there exists 6 such that a~ 6 € P. Since P is 
also a safety property and is prefix-closed by definition, it must be that a € P. 


2. ais an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then, @ can be expressed as the limit of a chain of closed execution fragments 
Qo Q| @2.... In case (1) we have established that for all 7 > 0, a; € P. Since P isa 
safety property, the limit of this chain, which is a, must be in P. 


Cases (1) and (2) together imply that P = frags 4. a 


Let A be a TA and P be a property for A. We define safe(P) to be the prefix- and 
limit-closure of the property P. 


Lemma 6.2 Let A be a TA. For any property P for A, safe(P) is a safety property for 
A. 
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Proof: Immediate from the definitions of safe(P) and of a safety property. | 


Lemma 6.3 Let A be a TA and P be a property for A. If a is a closed execution fragment 
and a € safe(P) then a is a prefix of some element in P. 


The following theorem states that any property for an automaton can be expressed as 
the intersection of a safety and a liveness property for that automaton. 


Theorem 6.4 Let A be a TA. If P is a property for A, then there exists a safety property 
S and a liveness property L for A such that P= SOL. 


Proof: Let S = safe(P). By Lemma 6.2, we know that S is a safety property for A. 
Let L = PU {a | a € frags, a is closed and no execution fragment of the forma ~ 
(6 isin P}. We now show that L is a liveness property. Let a be a closed execution 
fragment of A. If there exists some execution fragment 8 of A such that a~ 6 € P, then 
a~ B € L because P C L. On the other hand, if there is no execution fragment 6 such 
that a~ 6 € P, then a is explicitly defined to be in L. Hence, we have shown that any 
closed execution fragment of A has an extension in L as needed. 


In order to conclude P = SL, we need to show that PC SNL and that SNL C P. 
PCSQOL is immediate from the definitions of S and L. We now show that SNL C P. 
Let @ be an execution fragment in SM and suppose for the sake of contradiction that 
a¢ P. Since a € L — P, by definition of L, a is closed and there exists no execution 
fragment 6 such that a~ 6 € P. Since a € S and a is closed, by Lemma 6.3, aw must be 
a prefix of an execution fragment in P. This gives the needed contradiction. | 


6.1.2. Machine-closure 


Consider a safety property S and a liveness property LZ for an automaton A. It is in 
general desirable that L does not itself impose safety constraints, beyond those already 
imposed by S. To achieve this, LZ should be defined so that every closed execution in S 
can be extended to some execution that is in both S and L. The notion of machine-closure 
is used to formalize this condition. The pair of properties (.5,L) is defined to be machine- 
closed provided that, for every closed execution fragment a € S, there exists 6 such that 
aW~BPESOL. 


Example 6.5 (A non-machine-closed pair of properties) Consider the timing- 
independent TA A, given in Figure 15, whose set of state variables consists of a single 
discrete variable countb, and whose set of trajectories is exactly the set of constant-valued 
functions over left-closed time intervals with left endpoint 0. The automaton A can per- 
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Automaton A 


Variables X : discrete countb € Z initially 0 
States Q: val(X) 
Actions A: external a,b 
Transitions D: external a 
precondition 
countb = 0 


external b 
effect 
countb := countb + 1 


Trajectories 7: satisfies 
constant (countb) 


Figure 15: Machine closure 


form b any time and it can perform a provided that it has not performed b. Now, consider 
the liveness property DL for A that consists of all the executions with infinitely many dis- 
crete actions and the safety property S for A that consists of all the executions containing 
at most one b event. Then, since b disables all future as, the intersection of D and S 
contains all the executions of A with infinitely many a events and no b events. 


Now, consider a closed execution @ in S whose last action is b. This implies that a 
has no extension that contains an a, since by assumption the occurrence of 6 disables a. 
The only way of extending a to an execution a~ a’ that contains infinitely many discrete 
actions is to perform infinitely many bs, but this would yield an execution a~ a’ in L—S. 
Hence, the pair (S,Z) is not machine-closed. a 


The above example illustrates that if a pair of safety and liveness properties for an 
automaton is not machine-closed, then the automaton may exhibit an anomaly. Namely, 
after some prefixes, the automaton may not be able to meet its liveness requirement 
without violating its safety requirement. This phenomenon has been observed in several 
studies on the classification of properties for untimed systems, including those by Dederichs 
and Weber [10], and Abadi and Lamport [1]. These studies suggest that the problem lies 
in defining the intended safety and liveness properties independently from one another. 
If the above-mentioned anomaly is to be avoided, a pair of safety and liveness properties 
need to be defined so that the pair is machine-closed. 


The following theorem states that a pair of a safety and a liveness property for an 
automaton is machine-closed if the liveness property is defined as a subset of the safety 


property. 
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Theorem 6.6 Let A be a TA, S be a safety property and L be a liveness property for A 
such that L CS. Then the pair (S,L) is machine-closed. 


Proof: Let a be a closed execution fragment in S. Since L is a liveness property for A, 
there exists 6 such that a~ 6 € L. Since L C S, we have that a~ 6 E SOL. Thus, 
(S, LZ) is machine-closed. | 


The fact that two properties are machine-closed can be formalized by using other 
conditions equivalent to those we used in our formal definition above. The first property 
in the following theorem states that a pair (S,Z) is machine closed if S is the same as 
the prefix and limit closure of the intersection of S and L. The second property states 
that if the intersection of S and L is contained in a safety property, it must be the case 
that S itself is contained in the same safety property. That is, Z does not add new safety 
constraints to those already defined by S. 


Theorem 6.7 Let S be a safety property and L be a liveness property for an automaton 
A. The pair (S,L) is machine closed iff either of the following holds: 


1.05 = safets (iL): 


2. If S’ is a safety property and SQL CS! then SCS". 


Proof: We show the following three implications: (1) if (S,Z) is machine-closed then 
S = safe($ OL), (2) if S = safe($ OL), then for any safety property $’, SNL C S’ implies 
S CS’, and (3) if for every safety property S’, SM L C S’ implies S C S$’, then (S, L) is 
machine-closed. 


1. Suppose (.$, 2) is machine-closed. In order to show that S = safe(.S  L), we need 
to establish S C safe($ ML) and safe(S ML) CS. To establish S C safe($ ML) we 
take some a € S and consider the following two cases: 


(a) a is a closed execution fragment. 
By the machine-closure assumption there exists 8 such that a7 6 €E SNL. 
Since safe(.S M L) contains all the prefixes of elements of SNL, a € safe(S L), 
as needed. 


(b) q@ is an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then @ must be the limit of a chain of closed execution fragments ap a «++ in 
S. Since S is a safety property, every prefix of a is in S. Therefore for each i, 
we have a; € S. By case (a), for each each i, a; € safe(S ML). By definition of 
safe(S ML) the limit a is also in safe(S 1 L), as needed. 


To show safe(S 7 L) CS, take some a € safe(S ML). We consider two cases: 
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(a) 


a is a closed execution fragment. 

Then, by Lemma 6.3, a@ is a prefix of some element in SL. That is to say, 
a~ 6B € (SNL) for some 6 and it follows that a~ 8 € S. Since S is a safety 
property we have a € S, as needed. 


a is an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then @ must be the limit of a chain of closed execution fragments ap a --- in 
safe(SNL). We have established in case (a) that each closed execution fragment 
a; isin S. Since S is a safety property, the limit ~ must also be in S, as needed. 


2. Suppose S = safe(S ML). Let S’ be a safety property such that SNL C S$’. Let 
a € S and show that a € S’. 


(a) 


a is a closed execution fragment. 

Since S = safe(.$ 1 L) by assumption, a € safe(.$ 1 L), and since a is closed, 
by Lemma 6.3, a is a prefix of some element in SM L. Since (SL) C S’ we 
have that a is a prefix of some element of S’. Since S’ is a safety property, 
ae S’. 

a is an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then a@ must be the limit of a chain of closed execution fragments ag a, --- 
in safe($ 1 L). We have established in case (a) that each closed execution 
fragment a; is in S’. Since S’ is a safety property, the limit @~ must also be in 
S’, as needed. 


3. Suppose that for every safety property $’, SAL C S’ implies S C S$’. We must show 
that for every closed execution fragment a € S, there exists 0 such that a~ 8 € SNL. 
Let a be a closed execution fragment in S. By Lemma 6.2 we have that safe(S ™ L) 
is a safety property. Since SNL C safe($ ML), by assumption S C safe($ 1 L). 
Since a € S, we have that a € safe(S ML). Since a is closed, by Lemma 6.3, a is a 
prefix of some element of SOL. That is to say, there exists 6 such that a~ 8 € SOL, 
as needed. 


6.1.3. Special kinds of properties 


Fairness properties: Proving interesting liveness properties requires some assump- 
tions saying that certain activities in a concurrent system get “enough” chances to make 
progress. Fairness properties are special kinds of liveness properties that express such 
assumptions. We define two types of fairness: weak fairness and strong fairness. 


Let A be a TA and let C be a subset of the actions of A. Let @ be an execution 


fragment of A. Then: 
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1. ais weakly fair for C if (at least) one of the following conditions holds: 


(a) a contains infinitely many events from C. 
(b) There is no suffix 6 of a such that C is enabled in all states of (. 


2. ais strongly fair for C if (at least) one of the following conditions holds: 


(a) @ contains infinitely many events from C. 
(b) There is some suffix 6 of a such that C is disabled in all states of . 


Consider a finite execution fragment a. If a@ ends with a closed trajectory, the definition 
above says that for a to be weakly fair or strongly fair for C, C must be disabled in a.lstate. 
On the other hand, if a ends with a right-open trajectory, a is weakly fair provided that 
there are state occurrences with C' disabled, at times arbitrarily close to a.ltime and a is 
strongly fair provided that C' is continuously disabled from some point on in a. 


Theorem 6.8 Let A be a TA, C a subset of actions of A and a be an execution fragment 
of A. If a is strongly fair for C then a is weakly fair for C. 


Proof: Follows from the definitions of strong and weak fairness. | 


Theorem 6.9 For any timed automaton A and any subset C' of its actions, the set of 
strongly fair execution fragments for C' is a liveness property for A. 


Proof: Fix Aa TA, C a subset of the actions of A and let a@ be a closed execution 
fragment of A. We are required to show that for some 8, a~ £ is strongly fair for C. 
Construct an execution fragment 6 = ag ~ a, ~ --- as follows: 


© ao = p(a.lstate), 


e For each i > 1, if there exists (a;_1.Istate,b,y) € D4 for some b € C' and some 
y € Qu, then choose some such b and y and define a; = ¢(aj_1.Istate) be(y); 
otherwise, i — 1 is the final index in the sequence. 


It follows that, if 6 is a finite sequence then C is disabled in its last state. Therefore, 
for some suffix of 8, C’ is disabled in all states and a ~ is strongly fair with respect to 
C. On the other hand, if 6 is an infinite sequence then a~ £ has infinitely many events 
from C,, as needed. | 


Corollary 6.10 For any timed automaton A and any subset C of its actions, the set of 
weakly fair execution fragments for C is a liveness property for A. 


Proof: Follows from Theorem 6.8 and Theorem 6.9. a 
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Admissibility: Admissibility is another notion that is fundamental to any useful formal 
model for timed systems. It is hard to think about executions such as those that arise from 
Zeno behavior, yet they make formal sense. Admissibility conditions help one to avoid 
considering such executions in reasoning about properties. The formal definition of admis- 
sibility is given in 3.4.1. Formally, an execution fragment a is admissible if a.ltime = oo. 


Theorem 6.11 A timed automaton A is feasible if and only if its set of admissible exe- 
cution fragments is a liveness property for A. 


Proof: Immediate from the definitions of feasibility and liveness property. | 


History-independence: History-independence is an important characteristic of prop- 
erties that simplifies the analysis of the behavior of an automaton. A property P of a 
timed automaton A is said to be history-independent provided that the following holds: 
For every execution fragment a, if a’ is a suffix of a, then a € P if and only if a’ € P. 
In other words, whether or not @ satisfies P is determined only by what happens in its 
suffixes—it is not affected by what happens in any initial portion of a. If a property P 
is known to be history-independent, then one can prove that an execution fragment a 
satisfies P by considering the portion of a from some point onward. 


The liveness properties that are typically used are history-independent. Fairness 
and admissibility properties defined earlier in the section constitute examples of history- 
independent properties, as shown in the following theorems. 


Theorem 6.12 For any timed automaton A, and any subset C' of its actions, the set of 
weakly fair execution fragments for C' is history-independent. 


Proof: Fix Aa TA, C a subset of actions of A and let a = a’ ~ a” with a’ .Istate = 
a" fstate be an execution fragment of A. 


First, suppose that a is weakly fair for C. We are required to show that a” is also 
weakly fair with respect to C. By definition of weak fairness, either a contains infinitely 
many events from C, or it has no suffix in which C is enabled in all states. Since a” is a 
suffix of a, in either case we conclude that a” is weakly fair with respect to C by using 
the definition of weak fairness. 


Now, suppose that a” is weakly fair for C. We are required to show that a is also 
weakly fair with respect to C’. Similar to the case above, this is easy to show by using the 
definition of weak fairness and the fact that a” is a suffix of a. a 


Theorem 6.13 For any timed automaton A, and a subset C of its actions, the set of 
strongly fair execution fragments for C is history-independent. 
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Theorem 6.14 For any timed automaton A, the set of admissible execution fragments is 
history-independent. 


6.2 Implementation Relationships 
We define another preorder for automata with properties: 
e (Ai, Pi) < (Az, Po) provided that traces 4, p,) © traces 4, ,p,)- 


If P, is a liveness property for a TA A, and P 2 is any property for a TA Ag, and 
(Ai, Pi) and (Ag, P2) are related by the preorder defined above, then every closed trace 
of A, is also a trace of Ag. This is shown in the following theorem. 


Theorem 6.15 Suppose that P, is a liveness property for A, and P: is any property for 
Ag. If (Ai, Pi) < (Az, Po) then every closed trace of A, is a trace of Ag. 


Proof: Assume (Aj, P,) < (Ao, P2) and let 6 be a closed trace of A,. Let a be a closed 
execution of A; with trace(a) = 8. Since P, is a liveness property of A1, there exists an 
execution fragment a’ of A; such that a~ a’ € P,. 


Let 6’ = trace(a ~ a’); then clearly 6’ € traces(,4,,p,)- Then because (Ai, Pi) < 
(Ao, Pr), we have that 6’ € traces (4, p,)- Since # is a prefix of B' and the set of traces of 
Ag is prefix-closed, it follows that 8 is a trace of Az, as needed. | 


6.3. Simulation Relations 


As we have seen in Section 4.5, simulation relations provide a useful tool for reasoning 
about implementation relationships between automata at multiple levels of abstraction. 
The existence of a forward or a backward simulation relation, or a history or a prophecy 
relation, from one timed automaton A to another, B, is sufficient to establish that each 
trace of A is also a trace of B. 


For any TA A the set of all execution fragments of A, frags 4, constitutes a safety 
property. This follows from the definition of a safety property in Section 6.1.1 by using 
the fact that frags, is prefix and limit closed. Suppose we define a safety property Sj 
for an automaton A to be frags, and a safety property Sy for an automaton B to be 
frags. The existence of a forward simulation relation from A to B would imply that 
for any execution a € S$}, there is an execution @ € S_ such that trace(a) = trace((). 
However, the same implication does not in general hold, if we replace safety properties 51 
and S» with arbitrary liveness properties L; C $, and Lz C S» for A and B, respectively. 
In [9] Attie adresses this issue in an untimed setting and proposes several notions of 
“liveness-preserving” simulation relations. The liveness properties that he considers are 
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of a special form that are analogous to the acceptance condition of a complemented-pairs 
automaton [7]. 


In the two theorems below, we consider the special classes of weak and strong fairness 
properties and state some extra constraints on forward simulation relations. The existence 
of a forward simulation relation from an automaton A to another 6 that satisfies these 
additional constraints allows us to conclude that the trace of each fair execution of A 
is also a trace of a fair execution of 6B. The constraints that we impose on the forward 
simulation relation for discrete steps turn out to be special cases of Attie’s constraints[9]. 


Let A and B be comparable TAs. Let Cy be a set of actions of A and Cg be a set 
of actions of B. A fair forward simulation from A to B with respect to Cy and Cg is a 
relation R C Qy xX Qgx satisfying the following conditions, for all states x4 and xg of A 
and B, respectively: 


1. If x4 € Oy then there exists a state xg € Og such that x4 R xg. Moreover, if Cy 
is disabled in x4, then C’z is disabled in xg. 


2. Ifxy4 R xy and a is an execution fragment of A consisting of an action a surrounded 
by two point trajectories, with a.fstate = x4, then B has a closed execution fragment 
B such that 8.fstate = xp, trace(G) = trace(a), and a.lstate R B.lstate. Moreover, 


(a) Ifa € Cy then ( contains some event in Cg. 
(b) If C4 is disabled in a.lstate then 
i. If 6 = e(xg) then Cg is disabled in xg. 
ii. If 6 4 e(xg) then Cy is disabled in all states in 8 except possibly in xg. 


3. If x4 R xg and a is an execution fragment of A consisting of a single closed tra- 
jectory, with a.fstate = x4, then B has a closed execution fragment (6 such that 
B.fstate = xp, trace(B) = trace(a), and a.lstate R B.lstate. Moreover, 


(a) If B.ltime = 0 and C4 is disabled in x4 then Cg is disabled in all states in (. 

(b) If B.ltime > 0 then for all ¢ such that 0 < t < a.ltime, if Cy is disabled in 
a(t) then for each closed prefix /’ of 8 such that /’.ltime = t, Cg is disabled in 
B' Istate. 


We say that is a fair forward simulation from A to 8, without mentioning C4 and 
Cg explicitly, when those sets are clear from the context. 


Now, we define a construction that, given two automata A and B, two sets of actions 
Cy and Cy, a fair forward simulation R from A to B, and an execution a of A, generates 
an execution ( of B by using the definition of a fair forward simulation. 


Let A and B be two TAs, Cy and Cg be sets of actions for A and B, respectively, 
and & be a fair forward simulation from A to B with respect to C4 and Cg. Let a be an 
execution of A. The construction consists of the following steps: 
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1. Using axioms T1 and T2, write a as a concatenation ap” a1~ a2°++ (a9 a1 ++ ay 
if a is a finite sequence ending with a closed trajectory), in which each execution 
fragment a; consists of either a single closed trajectory or one action surrounded by 
two point trajectories. Without loss of generality, we can assume that for each 7 > 0, 
a,;.lstate = aj41.fstate. 


2. Define inductively a sequence fp 6; ... of closed execution fragments of B, such that 
Bo.fstate = xg for some xg € Og and, for each 2, a;.lstate R B;.lstate, B;.lstate = 
Bi41.fstate, and trace(a;) = trace(8;). We use Properties 1 and 3 of a fair forward 
simulation in the construction of 69, Property 2 in the construction of 6; consisting of 
one action surrounded by two point trajectories, and Property 3 in the construction 
of 6; consisting of a single closed trajectory. 


3. Let 6 be the concatenation Bo ~ 6, ~--- 


For such 8, we say that 6 corresponds to a@ with respect to R,C4 and Cg. When 
R,Cy, and Cx are clear from the context, we do not state their names explicitly. 


Lemma 6.16 Let A and B be two TAs, Cy and Cg be sets of actions for A and B, 
respectively, and R be a fair forward simulation from A to B with respect to C4 and Cg. 
Let a be an execution of A and B be an execution of B that corresponds to a. Suppose 
that a is expressed as ag” a,~--- and B is expressed as By ~~ 61 ~ +++ in the construction 
of B. Then, B satisfies the following properties: 


1. If Cy is disabled in ao.fstate, then Cg is disabled in 6o.fstate. 


2. For each oy, of the form o(x,4) a 9(x',) let xg = 6;.fstate. Then, 


e Ifae Cy then f; contains some event in Cg. 
e If Cy is disabled in x', then 
e If B; = p(x) then Cg is disabled in xg. 
e If B; 4 p(x) then Cg is disabled in all states in 6; except possibly in xg. 


8. For each a; consisting of a single closed trajectory: 


e If B;.ltime = 0 and Cy ts disabled in a;.fstate then Cg is disabled in all states 

e If 6;.ltime > 0 then for all t such that 0 < t < a;.ltime, if Cy is disabled in 
aj(t) then for each closed prefix 3! of 8; such that Bi.ltime = t, Cg is disabled 
in Bi. Istate. 


4. B is an execution of B such that trace(G) = trace(a). 
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Proof: Properties 1, 2 and 3 follow from the construction of 8 and the definition of a 
fair forward simulation relation. We show property 4 as follows. By Lemma 4.7, ( is an 
execution fragment of B. By the construction of 6, 6o.fstate = xg for some xg € Op. 
Therefore, that 3 is an execution of B. By Lemma 3.9 applied to both a and #, trace(8) = 
trace(q). = 


Lemma 6.17 Let A and B be two TAs, C4 and Cg be sets of actions for A and B, 
respectively, and R be a fair forward simulation from A to B with respect to Ca and Cg. 
Let a be an execution of A, and let B be an execution of B that corresponds to A. Then, 
if a@ contains infinitely many events from C\, it must be the case that 6 contains infinitely 
many events from Cp. 


— 


Proof: We know that, in the construction of @, a is expressed as aj ~ ay ~--- in 
which each execution fragment a; consists of either a single closed trajectory or one action 
surrounded by two point trajectories, and ( is expressed as {yp ~ 2, ~ ---. Suppose that a 
contains infinitely many events from C_4. By property 2 of Lemma 6.16 in the construction 
of 6, we have that for each a; consisting of one action surrounded by two point trajectories, 
if a; contains a C', event, then 6; contains a C’g event. Since there are infinitely many C',4 
events in a, there must be infinitely many Cg events in 6, as needed. | 


Lemma 6.18 Let A and B be two TAs, C4 and Cy be sets of actions for A and B, 
respectively, and R be a fair forward simulation from A to B with respect to C4 and Cg. 
Let a be an execution of A that is a finite sequence ending with a closed trajectory, and let 
B be an execution of A that corresponds to a. Then, if C4 is disabled in a.lstate it must 
be the case that Cg is disabled in B.Istate. 


Proof: We know that, in the construction of 8, a is expressed as ag ~ a1 ~ +++ ~ Qp in 
which each execution fragment a; consists of either a single closed trajectory or one action 
surrounded by two point trajectories and £ is expressed as 89 ~ 6, ~--- ~ Bn. Suppose 
that C4 is disabled in a.lstate. Since a.lstate = a,.lstate, we have that Cy, is disabled in 
Qn.lstate. Now, consider the following cases: 


1. Gy is a single closed trajectory. 
Since C‘y is disabled in a,.lstate, by using property 3 in Lemma 6.16, we have that 
C'g is disabled in £,,./state. Since §.lstate = B,,.lstate, we have that Cg is disabled 
in (.lstate, as needed. 


2. Gp is one action surrounded by point trajectories. 
Since C‘y is disabled in a,.lstate, by using property 2 in Lemma 6.16, we have that 
C'g is disabled in £,,./state. Since §.lstate = £,,.lstate, we have that Cg is disabled 
in (.lstate, as needed. 


92 


Lemma 6.19 Let A and B be two TAs, C4 and Cg be sets of actions for A and B, 
respectively, and R be a fair forward simulation from A to B with respect to C4 and Cg. 
Let a be an execution of A such that a is an infinite sequence or a finite sequence ending 
with an open trajectory, and let B be an execution of B that corresponds to a. Then, if for 
some suffix a! of a, Cy is disabled in all states in a’, it must be the case that for some 
suffir B' of 8, Cg is disabled in all states in pf’. 


— 


Proof: We know that, in the construction of @, a is expressed as aj ~ a, ~--- in 
which each execution fragment a; consists of either a single closed trajectory or one action 
surrounded by two point trajectories, and ( is expressed as §o ~ 61 ~ ---. Suppose that 
for some suffix a’ of a, Cy is disabled in all states in a’. Consider the following cases: 


1. For infinitely many 7 > 0, a; is an execution fragment consisting of an action sur- 
rounded by point trajectories. 
Without loss of generality we can assume that a’ = a; ~ aj41 ~ -:: for some i > 0 
and a’ is an infinite sequence starting with a discrete action surrounded by two point 
trajectories. Now, consider the corresponding execution fragment 6’ = 6;~ 8417 --- 
of B. Let 8” be the suffix 6;41 ~ Bj42 ~ +--+ of B’. Since Cy is disabled in all states 
in a’, C4 is disabled in a;.lstate. By property 2 of Lemma 6.16 we know that Cg 
is disabled in §;.lstate. Then for each j > 1, by properties 2 and 3 of Lemma 6.16, 
we know that Cg is disabled in all states in 6;, except possibly in (6;.fstate. Since 
for each j > 4, (i, .fstate = 1 Estate by the construction of 6, we know that Cg is 
disabled in all states of 6”, which is a suffix of /. 

2. For only finitely many 7 > 0, a; consists of an action surrounded by point trajectories. 
Then for all sufficiently large i > 0, a; consists of a single closed trajectory. Without 


loss of generality we can assume that a’ = a; ~ aj41 ~ -:: for some sufficiently 
large 1 > O and for each 7 > 7, a; is a single closed trajectory. Now consider 
the corresponding execution fragment 8’ = 6; ~ Bj4,; ~---. Let 6” be the suffix 


Bisi ~ Bisa ~ +++ of B'. Since Cy is disabled in all states in a’, C4 is disabled 
in a;.lstate. Then, by property 3 of Lemma 6.16, we know that Cg is disabled in 
{;.lstate and for each 7 > 1, Cg is disabled in all states in 6;, except possibly in 
{;.fstate. Since for each j > 4, [,.fstate = (i,_1.lstate by the construction of 3, we 
know that Cg is disabled in all states of 6”, which is a suffix of £. 


Lemma 6.20 Let A and B be two TAs, C4 and Cg be sets of actions for A and B, 
respectively, and R be a fair forward simulation from A to B with respect to C4 and Cg. 
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Let a be an execution of A such that a is an infinite sequence or a finite sequence ending 
with an open trajectory, and let B be an execution of A that corresponds to a. Then, if 
there is no suffiz a! of a such that C4 is enabled in all states in a! it must be the case 
that there is no suffiz B' of B such that Cg is enabled in all states in B'. 


oN 


Proof: We know that, in the construction of @, a is expressed as aj ~ a, ~--- in 
which each execution fragment a; consists of either a single closed trajectory or one action 
surrounded by two point trajectories, and ( is expressed as Bo ~ 61 ~ ---. Suppose that 
there is no suffix a’ of a such that C4 is enabled in all states in a’. This means that for 
infinitely many 7 > 0, C4 is disabled in some state of a;. Then, by properties 2 and 3 in 
Lemma 6.16, we know that for infinitely many i > 0, Cg is disabled in some state of /;. 
This implies that 6 has no suffix in which Cy is enabled in all states. | 


The following lemma states that a fair forward simulation from A to B yields a corre- 
spondence for open trajectories. 


Lemma 6.21 Let A and B be comparable TAs, C4 and Cg be sets of actions of A and 
B respectively, and R be a fair forward simulation from A to B with respect to C4 and 
Cg. Let x4 and xp be states of A and B, respectively, such that x4 R xp. Let a be an 
execution fragment of A from state x4 consisting of a single open trajectory t. Then B 
has an execution fragment B with B.fstate = xg and trace(8) = trace(a). Moreover, 8 
satisfies the following condition: for all t such that 0 < t < 7.ltime, if C4 is disabled in 
T(t) then for each prefix 8’ of B such that B'.ltime = t, Cg is disabled in B' Istate. 


Proof: Let 7 be the single open trajectory in a. Using axioms T1 and T2, we construct 
an infinite sequence 79 7, ... of closed trajectories of A such that tT = 7) ~ 7 ~---. Then, 
working recursively, we construct a sequence (6 6; ... of closed execution fragments of 
B such that (6o.fstate = xg and, for each 1, 7;.lstate R 6;.lstate, 6;.lstate = (:41.fstate, 
trace(7) = trace(§;), and the following fairness condition holds: for all ¢ such that 0 < 
t < 7;.Itime, if C4 is disabled in 7;(t) then for each prefix 6) of 6; such that 6i.ltime = t, 
Cx is disabled in (}.lstate. This construction uses induction on i, using Property 3 of the 
definition of a fair forward simulation in the induction step. Now let 6 = 6y~ 61 ~---. By 
Lemma 4.7, 6 is an execution fragment of B. Clearly, 6.fstate = xg. By Lemma 3.9 applied 
to both @ and £8, trace(8) = trace(a). Using Property 3 for each 6;, and the inductive 
hypothesis (;.lstate = 6;41.fstate, we have that for all ¢ such that 0 < t < 7.ltime, if Cy 
is disabled in 7(t) then for each prefix 6’ of 6 such that 6’ .ltime = t, Cg is disabled in 
B' .lstate. Thus 8 has the required properties. | 


Theorem 6.22 Suppose that R is a fair forward simulation relation from A to B with 
respect to a set C4 of actions of A and a set Cg of actions of B. Let Ly be the set of 
strongly fair executions of A for C4 and let Ly be the set of strongly fair executions of B 
for Cg. Then (A, L,) < (8, Lp). 
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Proof: Let @ be an execution of A such that a € Ly and let @ be an execution fragment 
of 6 that corresponds to a with respect to R,C4 and Cg. By property 4 in Lemma 6.16 
we know that § is an execution of 6 such that trace(a) = trace(8). We show that 8 € Lg 
by considering the following cases: 


1. a contains infinitely many events from C‘4. 
By Lemma 6.17, we know that 6 has infinitely many events from Cg. Then, by 
definition of strong fairness 6 € Ly, as needed. 


2. For some suffix a’ of a, Cy is disabled in all states in a’. 


(a) q@ is either an infinite sequence or a finite sequence ending with an open trajec- 
tory. 
Then, by Lemma 6.19, we have that Cg is disabled in all states in some suffix 
of @. Then, by definition of strong fairness 6 € Lg, as needed. 


(b) a is a finite sequence ending with a closed trajectory. 
By Lemma 6.18, we have that Cg is disabled in /.lstate. Since 6.lstate is a 
suffix of 6, by definition of strong fairness 6 € Ly, as needed. 


Theorem 6.23 Suppose that R is a fair forward simulation relation from A to B with 
respect to a set C4 of actions of A and a set Cg of actions of B. Let Ly be the set of 
weakly fair executions of A for C4 and let Ly be the set of weakly fair executions of B for 
Cg. Then (A, La) < (6, Lg). 


Proof: Let a be an execution of A such that a € Ly and let @ be an execution fragment 
of 6 that corresponds to a with respect to R,C4 and Cg. By property 4 in Lemma 6.16 
we know that 6 is an execution of 6 such that trace(a) = trace(8). We show that 8 € Lg 
by considering the following cases: 


1. a contains infinitely many events from C‘4. 
By Lemma 6.17, we know that 6 has infinitely many events from Cg. Then, by 
definition of weak fairness G € Ly, as needed. 


2. There is no suffix a’ of a such that C4 is enabled in all states in a’. 


(a) q is either an infinite sequence or a finite sequence ending with an open trajec- 
tory. 
Then, by Lemma 6.20, we have that there is no suffix §’ of 6 such that Cg is 
enabled in all states in §’. By definition of weak fairness 3 € Ly, as needed. 


95 


(b) @ is a finite sequence ending with a closed trajectory. 
By Lemma 6.18, we have that Cg is disabled in (.lstate. Therefore, 6 cannot 
have any suffix in which Cy is enabled in all states. Then, by definition of weak 
fairness 3 € Dp, as needed. 


It would have been possible to prove Theorem 6.23 for a slightly different notion of 
fair forward simulation obtained by weakening Property 3 of the current definition. The 
current definition requires that the disabling is carried over from the low-level automaton 
to the high-level one for all states in a trajectory, except for the first state of trajectories 
with limit time greater than zero. For proving Theorem 6.23, it would have been sufficient 
to require that the disabling be carried over for some states only. 


6.4 Composition 


This section includes results that are essential for compositional reasoning about timed 
automata with properties. They are specializations of the similar results in Section 5.1. 


6.4.1 Definitions and Basic Results 


If A; and A» are two compatible timed automata and P, and P>2 are properties for A, 
and A», respectively, then we define P,||-P2 to be {a € frags 4,4, | a[(Ai, Xi) € Pi,t € 
{1,2}}. Using this, we define composition of automata with properties (A1, P:)||(A2, P2) 
as (A;||Ao, Pi ||P2). 


Theorem 6.24 Let A; and Ao be two compatible TAs and P, and P2 be properties for A, 
and Ao, respectively. Then traces(4;||Ay,P;||P2) #8 exactly the set of (E,0)-sequences whose 
restrictions to A, and Ag are traces (4,,p,) and traces(4,,p,), respectively. That is, 

traces (4; ||Ao,P;||Po) = {8 | B is an (E,0)-sequence and B [(E;,0) € traces: 4, p,),4 € {1, 2}}. 


Proof: Follows from definition of composition of automata with properties and Theo- 
rem 5.4. | 


6.4.2 Substitutivity Results 

Theorem 6.25 Suppose that A,, Ao, and B are TAs, A, and Ag have the same external 
actions, and each of A, and Ag is compatible with B. Suppose that P,, P2, and Q are 
properties for A,, Az, and B, respectively. If (Ai, P,) < (Ag, P2) then (Ai, P,)||(B,Q) < 
(Az, P2)||(B, Q). 
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This theorem can be strengthened with two corollaries. 


Corollary 6.26 Suppose A,, A2, Bi, and By are TAs, A, and Az have the same external 
actions, B, and By have the same external actions, and each of A, and Ag is compatible 
with each of B, and By. Suppose that P; and Q; are properties for A; and B;, respectively 
fori € {1,2}. If (Ai, Pi) < (Aa, Pe) and (Bi, Qi) < (Bo, Q2) then (Ai, P1)||(Bi,Q1) < 
(Ao, P2)||(Bo, Q2). 


Corollary 6.27 Suppose A,, A2, Bi, and By are TAs, A, and Az have the same external 
actions, B, and By have the same external actions, and each of A, and Ag is compatible 
with each of B, and By. Suppose that P; and Q,; are properties for A; and B;, respectively 
for 1 €E {1,2}. If (Ai, Pi) || (Bo, Q2) < (Az, P2)|| (Bo, Q2) and (Bi, Qi) < (Bo, Q2) then 
(Ai, Pi) ||(Bi, Q1) < (A2, Pe) |I(B2, Q2). 


7 Timed I/O Automata 


In this section we refine the timed automaton model of Section 4 by distinguishing between 
input and output actions. Typically, an interaction between a system and its environment 
is modeled by using output and input actions to represent, respectively, the external events 
under the control of the system and the environment. We extend the results on simulation 
relations and composition from Sections 4 and 5 to this new setting. We also introduce 
special kinds of timed I/O automata: I/O feasible, progressive, and receptive TIOAs. 


7.1 Definition of Timed I/O Automata 
A timed I/O automaton (TIOA) A is a tuple (6, 1,O) where 


e B= (X,Q,0,E,H,D,T) is a timed automaton. 


e J and O partition FE into input and output actions, respectively. Actions in L = 
Hf UO are called locally controlled; as before we write A = EUH. 


e The following additional axioms are satisfied: 


E1 (Input action enabling) 
For every x € Q and every a € I, there exists x’ € Q such that x % x’. 


E2 (Time-passage enabling) 
For every x € Q, there exists 7 € J such that 7.fstate = x and either 


1. 7.ltime = ov, or 
2. rT is closed and some | € L is enabled in 7.Istate. 
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Input action enabling is the input enabling condition of ordinary I/O automata; it says 
that a TIOA is able to perform an input action at any time. The time-passage enabling 
condition says that says that a TIOA either allows time to advance forever, or it allows 
time to advance for a while, up to a point where it is prepared to react with some locally 
controlled action. Because TIOAs have no external variables, El and E2 are slightly 
simpler than the corresponding axioms for HIOAs. 


Notation: As we did for TAs, we often denote the components of a TIOA A by 

By, 14,04,X4,Q4,94, etc., and those of a TIOA A; by Hj, 1;,O0;,..., Xi, Q;, Oj, ete. 
We sometimes omit these subscripts, where no confusion is likely. We abuse notation 
slightly by referring to a TIOA A as a TA when we intend to refer to By. 


Example 7.1 (TAs viewed as TIOAs) The automaton TimedChannel(b, M) described 
in Example 4.1 can be turned into a TIOA by classifying the send actions as inputs, and 
the receive actions as outputs. Since there is no precondition for send actions, they are 
enabled in each state, so clearly the input enabling condition E1 holds. It is also easy to 
see that axiom E2 holds: in each state either queue is nonempty, in which case a receive 
output action is enabled after a point trajectory, or queue is empty, in which case time 
can advance forever. 


The automaton ClockSync(u, p); of Example 4.6 can be turned into a TIOA by classi- 
fying the send actions as outputs, and the receive actions as inputs. Axiom E1 then holds 
trivially. Axiom E2 holds since from each state either time can advance forever, or we have 
an outgoing trajectory (possibly of length 0) to a state in which physclock = nextsend, 
and from there a send output action is enabled. | 


7.2 Executions and Traces 
An execution fragment, execution, trace fragment, or trace of a TIOA A is defined to 


be an execution fragment, execution, trace fragment, or trace of the underlying TA By, 
respectively. 


We say that an execution fragment of a TIOA is locally-Zeno if it is Zeno and contains 
infinitely many locally controlled actions, or equivalently, if it has finite limit time and 
contains infinitely many locally controlled actions. 


7.3 Special Kinds of Timed I/O Automata 
7.3.1 Feasible and I/O Feasible TIOAs 


A TIOA A = (B, I, O) is defined to be feasible provided that its underlying TA B is feasible 
according to the definition given in Section 4.3.1. As noted in Section 4.3.1, feasibility is a 
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basic requirement that any TA (or TIOA) should satisfy. I/O feasibility is a strengthened 
version of feasibility that take inputs into account. It says that the automaton is capable of 
providing some response from any state, for any sequence of input actions and any amount 
of intervening time-passage. In particular, it should allow time to pass to infinity if the 
environment does not submit any input actions. Formally, we define a TIOA to be I/O 
feasible provided that, for each state x and each (I, )-sequence 3, there is some execution 
fragment a from x such that a[(J,@) = 8. That is, an I/O feasible TIOA accommodates 
arbitrary input actions occurring at arbitrary times. The given (J, ()-sequence (6 describes 
the inputs and the amounts of intervening times. 


7.3.2 Progressive TIOAs 


A progressive TIOA never generates infinitely many locally controlled actions in finite 
time. Formally, a TIOA J is progressive if it has no locally-Zeno execution fragments. 


The following lemma says that any progressive TIOA is capable of advancing time 
forever. 


Lemma 7.2 Every progressive TIOA is feasible. 


Proof: Let A be a progressive TIOA and let x be a state of A. Since A is a TIOA it 
satisfies axiom E2. We construct an admissible execution fragment @ = ag ~ a, ~ ag-: 
from x as follows. 


1. ag = (x). 
2. For each 7 > 0, 


(a) If there exists a trajectory 7 from a;_1.Istate such that r.ltime = co then a; is 
the final execution fragment in the sequence and a; = T. 
(b) Otherwise, let 7; be a closed execution fragment from a;_,.lstate such that | € L 


is enabled in 7;.lstate. Define a; = 71 7;41 where 741 = e(y) and 7;.lstate a y. 


The above construction either ends after finitely many stages such that the last tra- 
jectory of @ is admissible, or goes through infinitely many stages such that a contains 
infinitely many local actions. In the former case, we know that a is admissible since it 
ends with an admissible tracjectory. In the latter case, since A is progressive, the fact 
that a has infinitely many local actions implies that a@ is admissible, as needed. | 


The following lemma says that a progressive TIOA is capable of allowing any amount 
of time to pass from any state. 
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Lemma 7.3 Let A be a progressive TIOA, let x be a state of A, and let rt € trajs(0). 
Then there exists an execution fragment a of A such that a.fstate =x and a[(I,0) =r. 


Proof: The result follows from the construction used in the proof of Lemma 7.2. Let 
a be an admissible execution fragment from x constructed as in the proof of Lemma 7.2. 
Let a’ be a prefix of a such that a’ [(0,0) = 7. Since our construction uses no actions 
from I, we have a’ [(I,0) = a’ [(0,0) = 7, as needed. = 


The following theorem says that a progressive TIOA is capable not just of allowing 
arbitrary amounts of time to pass, but of allowing arbitrary input actions at arbitrary 
times. 


Theorem 7.4 Every progressive TIOA is I/O feasible. 


Proof: Let A be a progressive TIOA, let x be a state of A, and let 6 = 79 a, 71 a2 7... 
be an (I,)-sequence. We construct a finite or infinite sequence aga, ... of execution 
fragments such that: 


1. ao.fstate = x. 


2. For each nonfinal index 7, a;.lstate = aj+1.fstate. 


— 


3. For each 7, (a ~ a1 ~ ++: ~ a4) [(, 0) = 79 a1 11... T- 


The construction is carried out recursively. To define ag, we start with x and use 
Lemma 7.3 to span 79. For i > 0, we define a; by starting with a;_1.lstate, using axiom 
E1 to perform the input action a; and move to a new state and then using Lemma 7.3 to 
span 7;. 


Let a=ao~ a, ~ -::. By Lemma 3.8, a is an execution fragment of A from x such 
that a[(I,0) = 6, as needed. 


7.3.3 Receptive Timed I/O Automata 


In this section, we define the notion of receptiveness for TIOAs. A TIOA will be defined 
to be receptive provided that it admits a strategy for resolving its nondeterministic choices 
that never generates infinitely many locally controlled actions in finite time. This notion 
has an important consequence: A receptive TIOA provides some response from any state, 
for any sequence of discrete input actions at any times. This implies that the automa- 
ton has a nontrivial set of execution fragments, in fact, it has execution fragments that 
accommodate any inputs from the environment. The automaton cannot simply stop at 
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some point and refuse to allow time to elapse; it must allow time to pass to infinity if the 
environment does so. Previous studies of receptiveness properties include [12, 1, 36, 24]. 
The notion of receptiveness for TIOAs as discussed here is a special case of the same notion 
for HIOAs [22]. 


We build our definition of receptiveness on our earlier definition of progressive TIOAs. 
Namely, we define a strategy for resolving nondeterministic choices, and define receptive- 
ness in terms of the existence of a progressive strategy. 


We define a strategy for a TIOA A to be a TIOA A’ that differs from A only in that 
D' CDand T' CT. That is, we require: 


e D'CD. 
e 7'CT. 
© X=X',Q=Q',0=0,F=F,H=H',I=l,andO=0O. 


Our strategies are nondeterministic and memoryless. They provide a way of choosing some 
of the evolutions that are possible from each state x of A. The fact that the state set Q’ 
of A’ is the same as the state set Q of A implies that A’ chooses evolutions from every 
state of A. 


Notions of strategy have been used also in previous studies of receptiveness [12, 1, 
36, 24]. However, in these earlier works, strategies have been formalized using two-player 
games rather than automata. Defining strategies using automata allows us to avoid intro- 
ducing extra mathematical machinery. 


Lemma 7.5 If A’ is a strategy for A, then every execution fragment of A’ is also an 
execution fragment of A. 


We define a TIOA to be receptive if it has a progressive strategy. The following theorem 
says that any receptive TIOA can respond to any inputs from the environment. 


Theorem 7.6 Every receptive TIOA is I/O feasible. 


Proof: The proof is similar to that of the corresponding theorem for HIOAs [22]. a 


Example 7.7 (Progressive and receptive TIOAs) The time-bounded channel au- 
tomaton described in Example 4.1 is not progressive since it allows for an infinite execution 
in which send and receive actions alternate without any passage of time in between. The 
time-bounded channel automaton is receptive, however, as we may construct a progressive 
strategy for it by adding a condition u = now to the precondition of the receive action. 
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In this way we enforce that the channel operates maximally slow and messages are only 
delivered at their delivery deadline. The clock synchronization automaton of Example 4.6 
is progressive (and therefore receptive) since it can only generate a locally controlled ac- 
tion each time its physical clock advances by u time units and the real time that elapses 
between two locally produced actions is at least u(1 — p) time units. | 


7.4 Implementation Relationships 
Two TIOAs A; and Ag are comparable if their inputs and outputs coincide, that is, if 


I, = In and O; = Og. If A, and Ag are comparable, then A; < A is defined to mean 
that the traces of A; are included among those of Ag: Ai < Az = traces y, C traces ,,. 
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Lemma 7.8 Let A,, Ao be two comparable TIOAs and let By, Bo be, respectively, the 
underlying TAs for A, and Ag. Then B, and By are comparable and A, < Ao iff By < Bo. 


Proof: Immediate from the definitions. a 


7.5 Simulation Relations 


The definition of forward simulation for TIOAs is the same as for TAs. Formally, if 
A, = (B,,1,01) and Ag = (Bo, I2,02) are two comparable TIOAs, then a forward 
simulation from A; to A» is a forward simulation from 6, to Bo. 


Theorem 7.9 [If A, and Ag are comparable TIOAs and there is a forward simulation 
from A, to Ao, then Ay < Ao. 


The definitions and results about backward simulations, history and prophecy relations 
for timed automata from Section 4 carry over to timed automata with input and output 
distinction in a similar fashion. 


8 Operations on Timed I/O Automata 


8.1 Composition 


In this section, we define the operations of composition and hiding and present projec- 
tion, pasting and substitutivity results for TIOAs. We revisit the special kinds of TIOAs 
introduced in Section 7 and show that the classes of progressive and receptive timed I/O 
automata are closed under composition, while this is not true for the class of I/O feasible 
automata. 
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8.1.1 Definitions and Basic Results 


The definition of composition for TIOAs is based on the corresponding definition for TAs, 
but also takes the input/output structure into account. We say that TIOAs A; and A» 
are compatible if, for i A j, X; NX; = H;N Aj =O;,NO; =O. 


Lemma 8.1 /f A, = (61,4;,01) and Ag = (Bo, 12,02) are compatible TIOAs, then By 
and By are compatible TAs. 


If A; and A» are compatible TIOAs then their composition Aj,||Ag is defined to be the 
tuple A = (6,1,O) where 


e B= By ||Bo. 
e l= (1, U Ig) — (O; U Oz) 
e O=O0; UO. 
Thus, an external action of the composition is classified as an output if it is an output of 


one of the component automata, and otherwise it is classified as an input. The composition 
of two TIOAs is guaranteed to be a TIOA: 


Theorem 8.2 If A, and Ag are TIOAs then A,||Ag is a TIOA. 


Proof: The proof is straightforward except for showing that Axiom E2 is satisfied by the 
composition. Let x be a state of A;||A2. We need to show the existence of a trajectory 
from x that satisfies E2. 


By definition of A,||A2, x | X1 is a state of A; and x |X is a state of Ay. We know 
that both A; and Ag satisfy E2. Let 7, be a trajectory of A; with 7).fstate = x | X, that 
satisfies E2, let 72 be a trajectory of Az with 72.fstate = x |X» that satisfies E2, and 
consider the following cases: 


1. 7.ltime = oo and 79.Itime = oo. 
Then, define 7 such that 7 | X; = 7 and r | Xo = 79. 


2. 71.ltime = oo and 7» is closed where some | € L is enabled in 79. Istate. 
Then, define 7 such that 7 | X, = 7 | dom(r2) and 7 | Xo = 72. 


3. T1 1s closed where some | € Ly is enabled in 71.lstate and 79./time = oo. 
Then, define 7 such that 7 | X, = 7 and t | X2 = 72 [ dom(7)). 
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4. 7, is closed where some | € Lj is enabled in 71.lstate and tT. is closed where some 
1 € Lg is enabled in 79. Istate. 
If dom(71) C dom(72), then define 7 such that 7 | X, = ™% andr | Xg = 
T2 | dom(r,). Otherwise, define 7 such that 7 | X1 = 7 | dom(r2) and r | Xo = 79. 


In all the cases, by definition of trajectories for a TIOA, 7 is a trajectory of A;||A2 from 
x, which satisfies E2 by construction. 


Note that this theorem is stronger than the corresponding theorem (Theorem 6.12 
in [22]) for general HIOAs. Two HIOAs A; and Ag are required to be “strongly compati- 
ble” for their composition to be a hybrid I/O automaton. This extra condition is needed 
to rule out dependencies among external variables that may prevent the component au- 
tomata from evolving together. The absence of external variables in TIOA eliminates this 
kind of problematic behavior. Thus, for the timed case, we do not require the notion of 
strong compatibility that was needed for the hybrid case. 


Composition of TIOAs satisfies the following projection and pasting result, which 
follows from Theorem 5.4. 


Theorem 8.3 Let A, and Az be comparable TIOAs, and let A = Aj||A2. Then traces 4 
is exactly the set of (E,0)-sequences whose restrictions to A, and Ag are traces of A, 
and Ag, respectively. That is, traces, = {8 | 6 is an (E,0)-sequence and B [(E;,0) € 
traces 4,,4 = {1,2}}. 


8.1.2. Substitutivity Results 


The following theorem is analogous to Theorem 5.8 for TAs without input/output distinc- 
tion. It shows that the introduction of the input/output distinction does not cause any 
changes to the substitutivity results we obtained for general TAs. 


Theorem 8.4 Suppose A; and Ag are comparable TIOAs with A, < Ag. Suppose that B 
is a TIOA that is compatible with each of Ay and Ag. Then A,||B < Ag||B. 


The corollaries below follow from the Corollaries 5.9 and 5.10 of Theorem 5.8. 
Corollary 8.5 Suppose A, Az, Bi, and By are TIOAs, A, and Ag are comparable, By 
and Bz are comparable, and each of A, and Ag is compatible with each of By and Bo. If 
Ai < Ag and By, < By then A,||B, < Ag||Bo. 

Corollary 8.6 Suppose A,, Az, Bi, and By are TAs, A, and Ag are comparable, By 


and Bz are comparable, and each of A, and Ag is compatible with each of By, and Bo. If 
Aj||B2 < Ag||Bo and By < By then Aj,||B, < Ao||Bo. 
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The basic substitutivity theorem, Theorem 8.4, is desirable for any formalism for in- 
teracting processes. For design purposes, it enables one to refine individual components 
without violating the correctness of the system as a whole. For verification purposes, it 
enables one to prove that a composite system satisfies its specification by proving that 
each component satisfies its specification, thereby breaking down the verification task into 
more manageable pieces. However, it might not always be possible or easy to show that 
each component A; (resp. 61) satisfies its specification Ag (resp. By) without using any 
assumptions about the environment of the component. Assume-guarantee style results 
such as those presented in [19, 33, 38, 1, 2, 18, 39] are special kinds of substitutivity re- 
sults that state what guarantees are expected from each component in an environment 
constrained by certain assumptions. Since the environment of each component consists of 
the other components in the system, assume-guarantee style results need to break the cir- 
cular dependencies between the assumptions and guarantees for components. We present 
below two assume-guarantee style theorems Theorem 8.7 and Corollary 8.8, which can be 
used for proving that a system specified as a composite automaton A;||6, implements a 
specification represented by a composite automaton Ag||B2 . 


The main idea behind Theorem 8.7 is to assume that A; implements Ag in a context 
represented by 62, and symmetrically that B,; implements B2 in a context represented 
by Az where Ag and By are automata whose trace sets are closed under limits. The 
requirement about limit-closure implies that Ag and By specify trace safety properties. 
Moreover, we assume that the trace sets of Aj and Bo are closed under time-extension. 
That is, the automata allow arbitrary time-passage. This is the most general assumption 
one could make to ensure that A2||B2 does not impose stronger constraints on time-passage 
than A,||B,. Note that the definitions of limit and time extension of a hybrid sequence 
can be found in Section 9.2. 


Theorem 8.7 Suppose A, Ao, Bi, Bo are TIOAS such that A, and Ag are comparable, 
B, and By are comparable, and A; is compatible with B; for i € {1,2}. Suppose further 
that: 


1. The sets traces, and tracesp, are closed under limits. 
2. The sets traces, and traces, are closed under time-extension. 
3. Aj||Bo < Ag||B2 and Apg||Bi < Ag||Bo. 


Then Aj||By < Ao||Bo. 


Proof: We first prove by induction on the length of traces of A;||B, that every closed 
trace of A,||B, is a trace of Ag||Bo. 


For the base case, let 8 be a trace of A;||B, such that 6 € trajs(Q) (a single trajectory 
over the empty set of variables). By Axiom TO in the definition of a TA, we know that 
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Az and Bz have traces a, and a2 such that a1.ltime = ao.ltime =0. By Assumption 2 we 
have a ,~ 8 € traces 4, and a2~ 8 € tracesgz,. Since, a,~ 8 = B and ag” 6 = B, it follows 
that 6 € traces, and f € tracesg,. By pasting using Theorem 8.3, 6 € traces 4,\/p,, as 
needed. 


For the inductive step we consider the following cases: 


1. B = Bar, where a is an output action of A; and 7 is a point trajectory. 


Then 6 [(£4,,%) € traces.4, by projection using Theorem 8.3. By inductive hypoth- 
esis, 6’ € traces _4,\p,- So 6’ [(Eg,,0) € tracesg,, by projection using Theorem 8.3. 
Let a be an execution of By such that trace(a) = 6’ [(Eg,,0). Since A; and by 
are compatible TIOAs, 6B; and Bog are comparable, and a is an output action of 
A, we know that either a is an input action of By or the action set of By does 
not contain a. In the former case, by the input-enabling axiom (E1) we know that 
there exists x’ such that (a.lstate,a,x’) is a discrete transition of Bj. It follows 
that 8 [(E£g,,0) € tracesg,. In the latter case, since B [(E'g,,0) = 6’ |(Eg,,0) and 
B' |(Ez,,0) € traces, we get B [(Ep,,0) € tracesg,. By pasting using Theorem 8.3, 
B € traces 4,\\g,. Then by Assumption 3, 6 € traces 4,\\p,- 


2. B = B' br, where b is an output action of B, and 7 is a point trajectory. 


This case is symmetric with the previous one. 


3. 8 = B' crt, where c is an input action of both A, and B, and 7 is a point trajectory. 


By inductive hypothesis, 8’ € traces Ay||B,- By projection using Theorem 8.3 we 
get 6’ [(E.4,,0) € traces 4, and 6’ [(Ex,,0) € tracesg,. Let a be an execution of A» 
such that trace(a@) = f’ [(E.4,,0). Since A; and A, are comparable and a is an input 
action of A; we know that a is an input action of Ag. By the input-enabling axiom 
(E1) we know that there exists x’ such that (a’.Istate,a,x’) is a discrete transition 
of Ag. It follows that 8 [(E4,,0) € traces 4,. Similarly, let a’ be an execution of By 
such that trace(a’) = 6’ [(Eg,,0). Since B, and By are comparable and a is an input 
action of B, we know that a is an input action of Bz. By the input-enabling axiom 
(E1) we know that there exists y’ such that (a’.lstate,a,y’) is a discrete transition 
of By. It follows that 6 [(Eg,,0) € tracesg,. By pasting using Theorem 8.3, we get 
B € traces 4, \\po- 


4. 8B = B' dr, where d is an input action of A, but not an action of B, and 7 is a point 
trajectory. 


By inductive hypothesis, 6’ € traces Ap||B.: By projection using Theorem 8.3, we 
have (’ |(E4,,0) € traces, and 6’ [(Fg,,0) € tracesg,. Let a be an execution 
of Ag such that trace(a) = 6’ [(E4,,0). Since A; and A: are comparable TIOAs 
and a is an input action of A;, a must be an input action of Aj. By the input- 
enabling axiom (E1) we know that there exists x’ such that (a.lstate,a,x’) is a 
discrete transition of Aj. It follows that 8 [(E4,,0) € traces,4,. Since B, and 
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By are comparable and a is not an action of B,, a cannot be an external action 
of Bj. Therefore, 6 [(E£g,,0) = 8’ |(Eg,,0). Since §’ |(E'g,,0) € tracesg, we get 
6 |(Ep,,0) € tracesg,. By pasting using Theorem 8.3, we get 3 € traces Ay||Bo- 


5. 6B = B'dr, where d is an input action of B; but not an action of A; and 7 is a point 
trajectory. 


This case is symmetric with the previous one. 


6. B = B'~ B", where 8” is a hybrid sequence consisting of a single trajectory T. 


By inductive hypothesis, 6’ € traces Ap||B.- By projection using Theorem 8.3, we 
get 2’ [(E.4,,9) € traces 4, and f’ [(Exg,,0) € tracesg,. By Assumption 2, we have 


B' |(E4,,9) ~ BY [(E4,,0) © tracesy, and §' [(Eg,,0) ~ 6B” [(Ex,,0) © tracesp,. 
Then by pasting using Theorem 8.3, 6 € traces 4,\\g,, a8 needed. 


We have thus shown that every closed trace of A;||B, is a trace of A2||Bz. Now consider 
any non-closed trace 6 of A;||b;. This 6 can be written as the limit of a sequence 
By Bo +++ of closed traces of A;||Bi. By the first part of the proof we know that each 
i € traces 4,\\B,, and by projection using Theorem 8.3 each 6; [(E.4,,0) is a closed trace 
of Ao, and §; [(Fg,,0) is a closed trace of Bj. We know that ( [(F4,,0) is the limit of 
the 6; [(E4,,0) and similarly 6 [(£g,,@) is the limit of the 6; [(Eg,,0). Since the sets 
traces 4, and traces, are limit-closed by Assumption 1, we get 6 [(E4,,0) € traces4, and 
B |(Ex,,0) € tracesp,. Finally, by pasting using Theorem 8.3, we get 6 € traces 4,\\p,- 


Note that automata with FIN and timing-independence (see Section 4.3.1 for defini- 
tions) constitute examples for context automata A» and be that satisfy Assumptions 1 
and 2. The property FIN implies Assumption 1 (Lemma 4.18) and timing-independence 
implies Assumption 2. 


Theorem 8.7 has a corollary, Corollary 8.8 below, which can be used in the decom- 
position of proofs even when A» and 6» neither admit arbitrary time-passage nor have 
limit-closed trace sets. The main idea behind this corollary is to assume that A, imple- 
ments Az in a context B3 that is a variant of Bj, and symmetrically that B, implements 
Bo in a context that is a variant of A. That is, the correctness of implementation rela- 
tionship between A; and A2 does not depend on all the environment constraints, just on 
those expressed by 63 (symmetrically for B,,B2, and A3). In order to use this corollary 
to prove A,||B, < A2||Bz one needs to be able to find appropriate variants of Ag and By 
that meet the required closure properties. This corollary prompts one to pin down what 
is essential about the behavior of the environment in proving the intended implementa- 
tion relationship, and also allows one to avoid the unnecessary details of the environment 
in proofs. In Section 9 we extend this corollary to the case where properties, typically 
liveness properties, are added to automaton specifications. 
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Corollary 8.8 Suppose A,, A2, A3, Bi, B2, B3 are TIOAS such that A,, Ao, and A3 are 
comparable, B,, By, and B3 are comparable, and A; is compatible with B; for i € {1, 2,3}. 
Suppose further that: 


1. The sets traces 4, and tracesz, are closed under limits. 

2. The sets traces 4, and tracesg, are closed under time-extension. 
3. Ag||B3 < A3||B3 and A3||Bo < A3||B3. 

4. Aj||B3 < Ag||B3 and A3||B, < A3||Bo. 


Then Aj||By < Ao||Bo. 


Proof: Since A, < A3 by Assumption 3 and A,||B3 < A2||b3; by Assumption 4, we 
get A,||Bs < Ao|/B3 < A3||B3, by Theorem 8.4. Similarly, we have A3||B, < A3||Bo < 
A3]||B3. Since Aj||B3 < A3||B3 and A3||B, < A3||B3, by using Assumptions 1 and 2, and 


Theorem 8.7 we have A,||B, < A3||B3. 


Let 6 be a trace of A;|/B,. By projection using Theorem 8.3, 6 [(E4,,0) € traces 4, 
and 6 [(Eg,,0) € tracesg,. Since A;||B, < A3||B3, we know that 6 € traces 4,\/p,- By 
projection using Theorem 8.3, 6 [(E4,,0) € traces4, and 6 |(Eg,,0) € tracesg,. By 
pasting using Theorem 8.3, we have 6 € traces 4,||g, and BE traces 4,\\B,- By Assumption 
4, we get B € traces 4,\\p, and 6 € traces 4,\\p,. Then, by projection using Theorem 8.3, 
B\(E,4,,0) € traces4, and 6 |(Eg,,0) € tracesg,. Finally, by pasting using Theorem 8.3 
we have § € traces _4,\|p,, as needed. | 


Example 8.9 (Using environment assumptions to prove safety) 


This example illustrates that, in cases where specifications Ag and 62 satisfy certain 
closure properties, it is possible to decompose the proof of A;||B, < A2||Bo by using 
Theorem 8.7, even if it is not the case that A, < Ao or By < Bo. 


The automata AlternateA and AlternateB in Figure 16 are timing-independent au- 
tomata in which no consecutive outputs occur without inputs happening in between. 
AlternateA and AlternateB perform a handshake, outputting an alternating sequence 
of a and b actions when they are composed. The automata CatchUpA and CatchUpB 
in Figure 17 are timing-dependent automata that do not necessarily alternate inputs and 
outputs as AlternateA and AlternateB. CatchUpA can perform an arbitrary number 
of b actions, and can perform an a provided that counta < countb. It allows counta to 
increase to one more than countb. CatchUpB can perform an arbitrary number of a ac- 
tions, and can perform a b provided that counta > countb+ 1. It allows countb to reach 
counta. Timing constraints require each output to occur exactly one time unit after the 
last action. CatchUpA and CatchUpB perform an alternating sequence of a actions and 
6 actions when they are composed. 
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Automaton AlternateA 


Variables X : 
States Q: 
Actions A: 


Transitions D: 


Trajectories 7 : 


discrete myturn € Bool 
val(X) 

input b, output a 
input b 


effect 
myturn := true 


satisfies 
constant(myturn) 


Automaton AlternateB 


Variables X : 


discrete myturn € Bool 


initially true 


output a 
precondition 
myturn 
effect 
myturn := false 


initially false 


States Q: val(X ) 
Actions A: input a, output b 
Transitions D: inputa output b 
effect precondition 
myturn := true myturn 
effect 


myturn := false 


satisfies 
constant(myturn) 


Trajectories 7 : 


Figure 16: Example automata for Ag and By in Theorem 8.7 


Suppose that we want to prove that CatchUpA||CatchUpB < Alternate A|| AlternateB. 
We cannot apply the basic substituvity theorem Theorem 8.7, in particular Corollary 8.5, 
since the assertions CatchUpA < AlternateA and CatchUpB < AlternateB are not true. 
Consider the trace 7 bT, a 72473 of CatchUpA where 70, 71, T2 and 73 are trajectories with 
limit time 1. After having performed one 6 and one a, CatchUpA can perform another 
a. But, this is impossible for AlternateA which needs an input to enable the second a. 
AlternateA and CatchUpA behave similarly only when put in a context that imposes 
alternation. 


It is easy to check that AlternateA and AlternateB satisfy the closure properties 
required by Assumptions 1 and 2 of Theorem 8.7 and, hence can be substituted for Ag 
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Automaton CatchUpA 


Variables X : discrete counta, countb € N initially 0 
analog now € R2° initially 0 
analog nezt € R2° U {oo} initially 0 


States Q: val(X ) 
Actions A: input b, output a 
Transitions D: input b output a 
effect precondition 
countb := countb + 1 counta < countb A now = next 
next := now +1 effect 


counta := counta + 1 
next := now + 1 
Trajectories 7: satisfies 
constant (counta,countb) 
stops when 
now = next 


Automaton CatchUpB 


Variables X : discrete counta, countb € N initially 0 
analog now € R2° initially 0 
analog nezt € R2° U {oo} initially 0 


States Q: val(X ) 
Actions A: input a, output 5, internal c 
Transitions D: inputa output b 
effect precondition 
counta := counta + 1 countb + 1 < counta A now = next 
next := now +1 effect 


countb := countb + 1 
next = now +1 


Trajectories 7: satisfies 
constant (counta,countb) 
stops when 


now = next 


Figure 17: Example automata A; and B, for Theorem 8.7 
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and Bz respectively. Similarly, we can easily check that Assumption 3 is satisfied if we 
substitute CatchUpA for A, and CatchUpB for By. 


Example 8.10 (Extracting essential environment assumptions with auxiliary 
automata) This example illustrates that it may be possible to decompose verification, 
using Corollary 8.8, in cases where Theorem 8.7 is not applicable. If the aim is to show 
Aj, ||B, < Ap||Bo where Ag and By do not satisfy the assumptions of Theorem 8.7, then 
we find appropriate context automata A3 and 63 that abstract from those details of A2 
and 6, that are not essential in proving A,||B, < Ag||Bo. 


Consider the automata UseOldInput AandU seOldInputB in Figure 18. UseOldInputA 
keeps track of whether or not it is UseOldInputA’s turn, and when it is UseOldInputA’s 
turn, it keeps track of the next time it is supposed to perform an output. The number of 
outputs that UseOldInputA can perform is bounded by a natural number. In the case 
of repeated 6 inputs, it is the oldest input that determines when the next output will 
occur. The automaton UseOldInputB is the same as U seOldInputA (inputs and outputs 
reversed) except that the turn variable of UseOldInputB is set to false initially. Note 
that UseOldInputA and UseOldInputA are not timing-independent and their trace sets 
are not limit-closed. For each automaton, there are infinitely many start states, one for 
each natural number. We can build an infinite chain of traces, where each element in the 
chain corresponds to an execution starting from a distinct start state. The limit of such 
a chain, which contains infinitely many outputs, cannot be a trace of UseOldInputA or 
UseOldInputA since the number of outputs they can perform is bounded by a natural 
number. The automaton UseNewI/nputA in Figure 19 behaves similarly to UseOldInputA 
except for the handling of inputs. In the case of repeated 6 inputs, it is the most recent 
input that determines when the next output will occur. The automaton UseNewInputB 
in Figure 19 is the same as UseNewInputA (inputs and outputs reversed) except that the 
turn variable of UseNewInputB is set to false initially. 


Suppose that we want to prove that: 
UseNewInputA||UseNewInputB < UseOldInput A||UseOldInputB. 


Theorem 8.7 is not applicable here because the high-level automata UseOldInputA 
and UseOldInputB do not satisfy the required closure properties. However, we can use 
Corollary 8.8 to decompose verification. It requires us to find auxiliary automata that are 
less restrictive than UseOldInputA and UseOldInputB but that are restrictive enough 
to express the constaints that should be satisfied by the environment, for UseNewInputA 
to implement UseOldInputA and for UseNewInputB to implement UseOldInputB. 


The automata AlternateA and AlternateB in Figure 16 can be used as auxiliary 
automata in this example. They satisfy the closure properties required by Corollary 8.8 
and impose alternation, which is the only additional condition to ensure the needed trace 
inclusion. 
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Automaton UseOldInputA 


Variables X : discrete myturn € Bool initially true 
discrete mazout € N initially arbitrary 
analog now € R2° initially 0 
analog nezt € R2° U {oo} initially 0 


States Q: val(X ) 
Actions A: input b, output a 
Transitions D: input b output a 
effect precondition 
myturn := true myturn A (maxout > 0) A (now = neat) 
if next = 00 effect 
then next := now +1 myturn := false 


maxout := maxout — 1 
next := co 


Trajectories 7: satisfies 
constant(myturn, mazout, next) 
d(now) =1 
stops when 
now = next 


Automaton UseOldInputB 


Variables X : discrete myturn € Bool initially false 
discrete mazout € N initially arbitrary 
analog now € R2° initially 0 
analog nezt € R2° U {oo} initially 0 


States Q: val(X ) 
Actions A: input a, output b 
Transitions D: inputa output b 
effect precondition 
myturn := true myturn A (maxout > 0) A (now = nest) 
if next = oo effect 
then nezt := now +1 myturn := false 


maxout := maxout — 1 
next := co 


Trajectories 7: satisfies 
constant(myturn, mazout, next) 
d(now) =1 
stops when 
now = next 


Figure 18: Example automata for Ag and By in Theorem 8.8 
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Automaton UseNewInputA 


Variables X : 


States Q: 
Actions A: 


Transitions D: 


Trajectories 7 : 


discrete myturn € Bool initially true 
discrete mazout € N initially arbitrary 
analog now € R2° initially 0 

analog nezt € R2° U {oo} initially 0 


val(X) 
input b, output a 
input b 

effect 


myturn := true 
next := now +1 


satisfies 
constant(myturn, maxout, next) 
d(now) =1 


stops when 
now = next 


Automaton UseNewInputA 


Variables X : 


States Q: 
Actions A: 


Transitions D: 


Trajectories 7 : 


discrete myturn € Bool initially false 
discrete mazxout € N initially arbitrary 
analog now € R2° initially 0 

analog nezt € R2° U {oo} initially 0 


val(X) 
input a, output b 
input a 

effect 


myturn := true 
next := now +1 


satisfies 
constant(myturn, maxout, next) 
d(now) =1 


stops when 
now = next 


output a 
precondition 
myturn A (maxout > 0) A (now = nezt) 
effect 
myturn := false 
maxout := maxout — 1 
next := co 


output b 
precondition 


myturn A (count > 0) A (now = next) 


effect 
myturn := false 
maxout := maxout — 1 
next := co 


Figure 19: Example automata for A; and 6, in Theorem 8.8 
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We can define a forward simulation relation from UseNewInputA||\UseNewInputB 
to UseOldInputA||UseOldInputB, which is based on the equality of the turn variables 
of the implementation and the specification automata. The fact that this simulation 
relation only uses the equality of turn variables reinforces the idea that the auxiliary 
contexts, which only keep track of their turn, capture exactly what is needed for the proof 
of UseNewInputA||UseNewInputB < UseOldInputA||U seOldInputB. We can observe 
that a direct proof of this assertion would require one to deal with state variables such 
as maxout and next of both UseOldInputA and UseOldInputB, which do not play any 
essential role in the proof. On the other hand, by decomposing the proof along the lines 
of Corollary 8.8 some of the unnecessary details can be avoided. Even though, this is a 
toy example with an easy proof it should not be hard to observe how this simplification 
would scale to large proofs. 


8.1.3. Composition of Special Kinds of TIOAs 


The following example illustrates that the set of I/O feasible TIOAs is not closed under 
composition: 


Example 8.11 (Two I/O feasible TIOAs whose composition is not I/O feasible) 


Consider two I/O feasible TIOAs A and 8B, where O,4 = Ip = {a} and Og = I, = {}. 
Suppose that A performs its output a at time 0 and then waits, allowing time to pass, 
until it receives input 6. If and when it receives b, it responds with output a without 
allowing any time to pass (and ignoring any inputs that occur before it has a chance to 
perform its output). On the other hand, 6 starts out waiting, allowing time to pass, until 
it receives input a. If and when it receives a, it responds with output b without allowing 
time to pass. 


It is not difficult to see that A and B are individually I/O feasible. We claim that the 
composition A||6 is not I/O feasible. To see this, consider the start state of A||6 and the 
unique input sequence 6 with £.ltime = co; (6 simply allows time to pass to infinity. The 
composition A||6 has no way of accommodating this input, since it will never allow time 
to pass beyond 0. | 


On the other hand, the following theorems say that the classes of progressive and 
receptive TIOAs are closed under composition: 


Theorem 8.12 Jf A; and A» are compatible progressive TIOAs, then their composition 
is also progressive. 


Proof: The proof is similar to the proof of Theorem 7.4 in [22]. The main idea behind the 
proof is that a Zeno execution of A;||A2 with infinitely many locally controlled contains 
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infinitely many locally controlled actions of either A; or Ag. Suppose without loss of 
generality that the automaton that contributes infinitely many locally controlled actions 
is A,. Then the projection onto A; violates progressiveness for A}. | 


Theorem 8.13 Let A; and Az be two compatible TIOAs with strategies A and A}, 
respectively. Then A}||A5 is a strategy for A,||Ao. 


Proof: The proof is similar to the proof of Theorem 7.7 in [22]. = 


Now, we can state the main result of this section, which follows easily from the previous 
two theorems. It shows that the class of receptive TIOAs is closed under composition. 


Theorem 8.14 Let A, and Ag be two compatible receptive TIOAs with progressive strate- 
gies A‘, and A}, respectively. Then Aj||Azg is a receptive TIOA with progressive strategy 
Aj ||Ad- 


Example 8.15 (Composition of receptive TIOAs) Theorem 8.14 implies that the 
composition of clock synchronization automata with channel automata described in Ex- 
ample 5.7 (viewed as TIOAs as explained in Example 7.1) is receptive. By Theorem 7.6 
we also have that it is I/O feasible. = 


In fact, the fact that the set of I/O feasible TIOAs is not closed under composition 
motivated the definition of the more restrictive class of receptive TIOAs. That is, recep- 
tiveness is a reasonable sufficient condition that implies I/O feasibility, and that also is 
preserved by composition. 


The special case of the HIOA model, represented by the TIOA model, has simpler and 
stronger composition theorems than the general HIOA model. In particular, the main 
compositionality result for receptive HIOAs (Theorem 7.12 in [22]) has a more intricate 
proof than ours. It makes an assumption about the existence of strongly compatible 
strategies (discussed briefly at the end of Section 8.1.1) and needs an additional lemma 
that shows that if two HIOAs A; and A» which may not be strongly compatible have 
strongly compatible strategies A‘, and A}, then A; and A: are also strongly compatible. 


8.2 Hiding 


We extend the definition of action hiding to any TIOA A. For TIOAs, we consider 
hiding outputs only (but not inputs), by converting them to internal actions. Namely, if 
O C Oy, then ActHide(O, A) is the TIOA B that is equal to A except that Og = O4 — O 
and Hg = Hy,UO. 
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Lemma 8.16 /f A is a TIOA and O C Oy then ActHide(O,.A) is a TIOA. 


Lemma 8.17 /f A is a TIOA and O C Ox then tracesactHide(o,4) = 18 [(O4 — O, Va) | 
6 € traces 4}. 


Theorem 8.18 Suppose A and B are TIOAs with A < B, and suppose O C Oxy. Then 
ActHide(O,.A) < ActHide(O, 6). 


9 Properties for Timed I/O Automata 


In this section, we present some definitions and results for timed I/O automata with 
properties. We focus on the definitions and results, such as those that involve receptiveness 
for properties, that become of interest with the introduction of input, output distinction 
to the model. 


9.1 Definitions and Basic Results 


A property for a timed I/O automaton A = (6,1,O) is defined to be a property of its 
underlying timed automaton, that is, it is a subset of the execution fragments of B. 


Now, we introduce a notion of liveness property that takes into account how a system 
responds to inputs from its environment. A property P for a TIOA J is defined to be 
an I/O liveness property provided that for each closed execution fragment a of A and 
each (I,())-sequence 8, there is some execution fragment a’ such that a’ [(I,@) = 8 and 
a~ al € P. In other words, no matter how A behaves for a finite period of time, and no 
matter what inputs arrive, it is still possible for A to continue in some way and satisfy P. 


The following theorem relates I/O feasibility and I/O liveness. An I/O feasible TIOA 
can be characterized by the fact that its set of execution fragments form an I/O liveness 
property. 


Theorem 9.1 A TIOA is I/O feasible if and only if its set of execution fragments is an 
I/O liveness property. 


Proof: Fix A,a TIOA. First, assume that A is I/O feasible. Let a be a closed execution 
fragment of A with a.lstate = x and let 8 be an (J,()-sequence. I/O feasibility of A 
implies that there is some a’ from x such that a’ |(I,0) = 6. Since a~ a’ € frags 4, we 
can conclude that the set of execution fragments frags, of A is an I/O liveness property. 

For the converse, suppose that the set of execution fragments of A is an I/O liveness 
property. Let x be a state of A and 6 be an (J,0)-sequence. Since the set of execution 
fragments of A is an I/O liveness property, there must be some a’ such that (x) ~ a’ € 
frags 4 and a’ [(I,0) = B. Clearly, ((x) ~ a’) [(I,0) = 8, and therefore A is I/O feasible. 
a 
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9.2 Composition 


The following projection and pasting theorem for TIOAs with properties follows from a 
similar theorem, Theorem 6.24, for TAs with properties. 


Theorem 9.2 Let A, and Ao be two compatible TAs and P, and Py» be properties for Ai 
and A», respectively. Then traces(4,||Ay,P;||P2) 8 exactly the set of (E',)-sequences whose 
restrictions to A, and Ag are traces(4,,p,) and traces: 4, p,), respectively. That is, 

tACeS(A;||Ao,Pi||P2) = 18 | B is an (E,0)-sequence and 6 [(E;,0) € traces4, p,),7 € {1, 2}}. 


Theorem 8.7 and its corollary presented in Section 8 assume specification automata 
whose trace sets are closed under limits, and hence express safety constraints. In this 
section we present a theorem that can be used in the decomposition of verification where 
the specification automata may also express liveness properties. 


The decomposition of a proof of the assertion (A1, P;)||(B1,Q1) < (Ae, P2)||(Bo, Q2) 
can be viewed as consisting of two parts. The first part involves the decomposition of the 
proof that (A, P,) and (B61, Q1) satisfy their safety properties and the second part involves 
the decomposition of the proof that (A;, P,) and (6, Q1) satisfy their liveness properties. 
Theorem 9.3 uses Corollary 8.8 for the safety part of proofs; the first four hypotheses 
of Theorem 9.3 imply those of Corollary 8.8. The remaining two hypotheses involve 
the liveness part of proofs. It requires one to find auxiliary automata with properties, 
(A3, P3) and (B3, Q3), such that (A, P,) implements (A3, P3) in the context of Bs without 
relying on the liveness property of B3, and (B,,Q) implements (B3, Q3) in the context of 
As without relying on the liveness property of A3. Moreover, (A, P,) must implement 
(Az, P2) in the context of (63, Q3) and (61, Q1) must implement (62, Q2) in the context of 
(A3, P3). That is, the implementation relation between (A1, P,) and (Az, Pz) depend on 
the liveness property Q3 of the auxiliary context, and the implementation relation between 
(B,,Q1) and (Bg, Q2) depend on the liveness property P3 of the auxiliary context. 


Theorem 9.3 Suppose A,, Az, A3, Bi, Bo, Bs are TIOASs such that A, Az, and A3 are 
comparable, B,, By, and B3 are comparable, and A; is compatible with B; for i € {1, 2,3}. 
Suppose that P; is a property for A; and Q; is a property for B; for i € {1,2,3}. Suppose 
further that: 


. The sets traces 4, and tracesg, are closed under limits. 

. The sets traces 4, and tracesz, are closed under time-extension. 
. Ag < A3 and Bo < B3. 

. Aj ||B3 < As||B3 and A3||B, < A3||Bo. 


. (Ai, P1)||(B3, fragsp,) < (A3, P3)||(Bs, frags g,) and 
(As, frags_s,)\|(Bi,Q1) < (As, frags _4,)||(Bs, Q3). 


a & ww wo 
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6. (A1, Pi) ||(B3, Q3) < (Az, P2)||(B3, Q3) and 
(A3, P3)||(B1, Q1) < (A3, P3)||(Be, Q2). 


Then (A1, P,)|\(Bi, Q1) < (Az, P2)||(B2, Q2)- 


Proof: Let 6 € traces(4,,p,)\\(6,,Q,)- By definition of composition for automata with 
properties, 6 € traces(4,\\z,)- By Assumptions 1, 2, 3 and 4 and Theorem 8.8, we have 8 € 
traces (Ay\\B)- By projection using Theorem 8.3, 6 [(E.4,,0) € traces, and 6 [(Eg,,0) € 
tracesz,. By Assumption 3, 6 [(E4,,9) € traces, and § [(Eg,,0) € tracesp,. Since Ag 
and A3 are comparable, 3 [(£4,,0) = 8 [(E4,,0) and 6 [(Eg,,0) = 6 (£e,,0). There- 
fore, 8 [(F4,,9) € traces 4, and 6 [(Eg,,0) € tracesp,. 


By projection using Theorem 9.2, we have 6 [(E.4,,0) € traces (4, p,) and 6 [(Ex,,0) € 
traces(p,,q,)- By pasting using Theorem 9.2, we have 6 € traces (A, ,P;)||(Bs,frags p,) and 


Be traces (gy Q1)||(As.frags 4,)* By Assumption 5, we have 6 € traces(4, p,)\\( ) and 


B3 frags, 
Be traces (Bs,Qs)|\(Assfrags4,)° By projection using Theorem 9.2, we get 8 [(F4,,0) € 
traces (4,,p,) and 6 [(Eg,,0) € traces(g,.Q,). Since B[(E.4,,0) € traces: 4, p,), by past- 
ing using Theorem 9.2, we have 6 € traces(4,,p,)\\(B3,Q3); Similarly since 6 [(Eg,,0) € 


traces (p,,Q,); We have 6 € traces p, ,Q1)||(A3,P3)* a 


Example 9.4 (Using environment assumptions to prove liveness)This example 
illustrates the use of Theorem 9.3 in decomposing the proof of an implementation relation- 
ship where the implementation and specification are not merely composition of automata 
but composition of automata that satisfy some liveness property. 


Let UseOldInputA', UseOldInputB', UseNewInputA', and UseNewInputB’ be au- 
tomata which are defined exactly as UseOldInputA, UseOldInputB, UseNewInputA, 
and UseNewInputB from Example 8.10 except that there is no bound on the number of 
outputs that the automata can perform. That is, maxout is removed from their sets of 
state variables. Let P,, P2,Q, and Q2 be properties for, respectively, UseNewInputA’, 
UseOldInputA', UseNewInputB' and UseOldInputB' defined as follows: 


e P, consists of the admissible execution fragments of UseNewInputA’. 
e (2; consists of the admissible execution fragments of UseNewInputB’. 


e P» consists of the execution fragments of UseOldInputA’ that contain infinitely 
many a actions. 


e (» consists of the execution fragments of UseOldInputB’ that contain infinitely 
many 6 actions. 


Suppose that we want to prove that: 


(UseNewInput A’, P,)||(UseNewInputB’,Q,) < (UseOldInput A’, P2)||(UseOldInputB’, Q2). 
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The automata UseNewInputA’'||UseNewInputB’ and UseOldInput A'||U seOldInput B' 
perform an alternating sequence of a and 6 actions. The properties express the additional 
condition that as time goes to infinity the composite automaton UseNewInputA'||\UseNewInputB' 
performs infinitely many a and infinitely many b actions where a and b actions alternate. 


As in Example 8.10 automata AlternateA and AlternateB from Figure 16 satisfy the 
required closure properties for auxiliary automata and capture what is essential about 
the safety part of the proof, namely that the environments of UseNewInputA’ and 
UseNewInputB' impose alternation. The essential point in the proof of the liveness 
part is that each automaton responds to each input it receives from its environment. 
Therefore, we need to pair AlternateA and AlternateB with properties that eliminate 
non-responding behavior. The properties P3 and Qs defined below satisfy this condition: 


e P3 consists of execution fragments a of AlternateA that satisfy the following condi- 
tion: if a has finitely many actions then the last action in a is a. 


e Q3 consists of execution fragments a of AlternateB that satisfy the following condi- 
tion: if a has finitely many actions and contains at least one a then the last action 
in @ is b. 


In order to see why the first part of Assumption 5 is satisfied we can inspect the 
definition of UseNewInputA and observe that UseNewInputA performs an output a one 
time unit after each input b, when it is composed with AlternateB. This implies that 
in any admissible execution fragment of UseNewInputA|| AlternateB with finitely many 
actions the last action must be a. This is exactly the liveness constraint expressed by P3. 
The second part of Assumption 5 can be seen to hold using a symmetric argument. 


In order to see why the first part of Assumption 6 holds consider any execution fragment 
B of UseNewInputAl|AlternateB. For 6 to satisfy P, and Q3 at the same time, it must 
consist of an infinite sequence in which a and 0 actions alternate. It is not possible for 
UseNewInputAl| AlternateB to have an admissible execution fragment with finitely many 
actions because the definition of UseNewInputA requires such a sequence to end in a while 
this is ruled out by Q3, which requires AlternateB to respond to a. The second part of 
Assumption 6 can be seen to hold using a symmetric argument. 


Note that in our explanations we refer to execution fragments rather than traces of 
execution fragments. This is because our examples do not include any internal actions 
and our arguments for execution fragments extend to trace fragments in a straightforward 
way. a 


9.3 Receptiveness for Properties 


If we would define a live TIOA to bea pair (A, ZL) of a TIOA A coupled with an I/O liveness 
property L then the resulting class of systems would not be closed under composition. The 
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problem, and this was noted already in previous studies of liveness properties for timed 
I/O automata such as [36], is that this definition allows a system to choose its relative 
speed with respect to the environment, and to base its decisions on the future behavior of 
the environment. As a result, the live preorder is not substitutive for parallel composition. 
To solve these problems, previous studies have introduced notions of receptive strategies 
to guarantee that a system does not constrain its environment. The TIOA framework 
incorporates a simpler (although less general) notion of strategy than those considered in 
previous work on timed I/O automata [36]. 


We begin with a definition of receptiveness for a property. Let A be a TIOA and let 
P be a property for A, that is, a subset of the execution fragments of A. Then we say 
that A is receptive for P provided that there exists a strategy A’ for A such that every 
execution fragment of A’ is in P. That is, A has a strategy that can always ensure that 
P is satisfied (regardless of the behavior of the environment). 


The following theorem shows that if A is receptive for P and P is history-independent, 
then we can conclude that P is a liveness property for A. Theorem 9.6 strengthens this 
result: if we also know that P consists of non-locally-Zeno execution fragments, then P 
must be an I/O liveness property. 


Theorem 9.5 Jf a TIOA A is receptive for P and P is history-independent then P is a 
liveness property for A. 


Proof: Suppose that A is receptive for P. That is, A has a strategy A’ such that 
frags C P. Let a be a closed execution fragment of A with a.lstate = x. Since 
Qa = QQ, we know that x € Qy. Now, we need to show that there exists some a’ such 
that a~ a’ € P. Let a! = g(x). We know that o(x) € frags.4 by axiom TO. Since 
frags, C P, a’ € P. Since P is history-independent a~ a’ € P, as needed. | 


Theorem 9.6 Ifa TIOA A is receptive for P and P is a history-independent property for 
A consisting of non-locally-Zeno execution fragments, then P is an I/O liveness property 


for A. 


Proof: Suppose A is receptive for P. Then there exists a strategy A’ for A such that 
frags 4 C P. Since all elements of P are non-locally-Zeno, it follows that every element 
in frags_4 is non-locally-Zeno, equivalently, A’ is progressive. By Theorem 7.4, we know 
that any progressive strategy is I/O feasible. 


Now, let a be a closed execution fragment of A with a.lstate = x and let 8 be an 
(I,@)-sequence. Since Q4 = Qy, we have x € Qy, and since A’ is I/O feasible, there 
exists some execution fragment a’ of A’ from x such that a’ [(J,0) = 8. Since a’ € P and 
P is history-independent we have that a~ a/ € P. Hence, P is an I/O liveness property 
for A. a 
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The need for the history-independence assumption for the two theorems above stems 
from the fact that strategies of our framework are memoryless whereas liveness properties 
are defined in terms of the possibility of extending every closed execution fragment to a 
live execution fragment. The history-independence assumption might become unnecessary 
if we defined strategies to have memory while keeping the liveness property definition as 
is. Alternatively, we could change the definition of a liveness property to a non-standard 
one such that a property P for A is defined to be a liveness property provided that for 
any state x of A, there is some execution fragment a from x that is in P. 


The following is a basic theorem that has nice consequences for composition of au- 
tomata with liveness properties. Together with Theorems 9.5 and 9.6, it can be used for 
compositional reasoning about TIOAs with liveness properties. 


Theorem 9.7 Let A; and Ao be two compatible TIOAs. If A, is receptive for Py and A 
is receptive for P2 then Aj,||A2 is receptive for P,||P2. 


Proof: The proof follows from Theorem 8.13 and the definition of composition of prop- 
erties P;||P2 from Section 6. a 


10 Conclusions 


In this paper, we have defined a new timed I/O automaton modeling framework for de- 
scribing and analyzing the behavior of timed systems. This framework is a special case of 
the recently presented hybrid I/O automaton modeling framework [22]. We used what we 
have learned in developing the HIOA framework to revise the earlier work on timed I/O 
automaton models. Our main motivation was to have a timed I/O automaton model that 
is compatible with the new HIOA model. We sought to benefit from the new style used 
in describing hybrid behavior in simplifying the prior definitions and results on timed 
I/O automata. Moreover, we extended the work on the HIOA model by investigating 
safety and liveness properties and receptiveness for general liveness, not only for feasibil- 
ity as in the HIOA framework. The results presented in this paper suggest that we are 
not that far from having a unified framework for timed and hybrid systems in which we 
can collect and summarize previous results of our own work. We have also established 
formal relationships with other models that are comparable to ours, showing that the 
TIOA framework is general enough to express previous results from other frameworks, 
such as [29, 28, 6, 27, 25, 36]. 


Designers of real-time systems or timing-based algorithms can use the TIOA frame- 
work to describe complex systems and to decompose them into manageable pieces. In 
particular, they can use the TIOA framework to describe their systems at multiple lev- 
els of abstraction, to establish implementation relationships between these levels and to 
decompose their systems into more primitive, interacting components. 
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The TIOA framework supports precise statement and verification of safety, liveness, 
and performance properties of timing-dependent systems. Since the TIOA framework is 
purely mathematical, proofs are generally done by hand at present. However, the TIOA 
framework provides a natural basis for computer support tools, which will be developed 
in the future as an extension to the IOA toolkit [13]. These tools include a syntax and 
static semantics checker for TIOA specifications, a simulator and partially automated proof 
tools that employ dynamic invariant detection techniques. There is also work in progress 
toward a tool to automatically translate TIOA specifications into the input language of 
UPPAAL [82, 21], which is discussed in more detail in Section 1.2. This would allow 
us to benefit from fully automated methods in verifying TIOAs that are expressible in 
UPPAAL. 
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A Notational Conventions 


a,b 
f,g,h 
1,9 


~ 


em 


NJUBa<% RTA KRHBOVOSRS VETS Qe 


AYRE KNAD!S 


a3 


® 


8 


B 
a 


iS 
oo 


p 


‘esd 


action 

function 

index 

locally controlled action 
time point 

variable 

set of actions 

task 

set of external actions 
set of functions 

set of internal (hidden) actions 
set of input actions 
interval 

set of time points 

set of locally controlled actions 
set of output actions 
set of elements in cpo 
set of automaton states 
(simulation) relation 
set 

set of trajectories 

set of variables 

set of internal variables 
state 

valuation 

timed (I/O) automaton 
set of discrete transitions 
set of trajectories 

the natural numbers 
the real numbers 

the time axis 

the integers 

the universe of variables 
(A, V )-sequence 
sequence 

the empty sequence 
projection function 
sequence 

trajectory 

set of start states 
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